Full Report
Near-Field Communication (NFC) relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal people's payment card information in the past few months. [...]
Analysis Summary
# Tool/Technique: NFC Relay Malware (General Family)
## Overview
This refers to a rapidly growing category of malicious Android applications, prevalent in Eastern Europe, designed to steal payment card information by exploiting Near-Field Communication (NFC) capabilities, specifically leveraging Android's Host Card Emulation (HCE) feature.
## Technical Details
- Type: Malware Family/Technique
- Platform: Android
- Capabilities: Emulating or stealing contactless credit card data, capturing EMV fields, intercepting/relaying APDU commands, and authorizing POS transactions remotely.
- First Seen: Spotted in the wild in 2023 (Poland).
## MITRE ATT&CK Mapping
*Note: As this is a technique rather than a specific named malware, mappings focus on the underlying actions.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (For data harvesters sending EMV fields via Telegram/other endpoints)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (If communicating with C2 servers or Telegram bots)
- **TA0005 - Defense Evasion**
- T1547.001 - Boot or Logon Autostart Execution: Registry Key (Implied by persistence mechanisms often used in malicious apps)
- **TA0009 - Collection**
- T1532 - Improper System Configuration (Abuse of HCE/NFC)
## Functionality
### Core Capabilities
- **EMV Field Harvesting:** Capturing the raw cryptographic data fields transmitted during contactless card interactions.
- **Contactless Payment Emulation/Relay:** Abusing the Host Card Emulation (HCE) feature to act as a payment card to an unsuspecting Point-of-Sale (POS) terminal.
- **APDU Command Handling:** Intercepting Application Protocol Data Unit (APDU) commands from the POS terminal to either respond with attacker-controlled replies or forward them to a remote server for authorized response generation.
### Advanced Features
- **Relay Toolkits:** Implementing logic to forward captured APDUs to a remote, paired device for processing.
- **"Ghost-tap" Payments:** Manipulating HCE responses in real-time to authorize fraudulent POS transactions without the physical cardholder present.
- **Distribution via Impersonation:** Disguised as legitimate apps, impersonating Google Pay or major financial institutions (e.g., Santander Bank, VTB Bank, Tinkoff Bank, ING Bank).
- **PWA Implementation:** Utilizing Progressive Web Apps (PWAs) or fake bank apps registered as the default payment handler on Android devices.
## Indicators of Compromise
- File Hashes: (Not specified in the context, but a list of over 760 malicious APKs is referenced externally.)
- File Names: Varied, impersonating legitimate banking or payment apps.
- Registry Keys: N/A (Android specific persistence mechanisms, not Windows Registry).
- Network Indicators: Over 70 identified Command-and-Control (C2) servers and app distribution hubs. Dozens of Telegram bots and private channels used for coordination/exfiltration.
- Behavioral Indicators: Requesting extensive permissions, including NFC access or foreground service privileges; registering as the default payment handler; high volumes of NFC/APDU activity.
## Associated Threat Actors
Threat actors operating campaigns predominantly in **Eastern Europe** (Poland, Czech Republic, Russia, Slovakia, and expanding to others). Specific groups are not named, but the scale suggests organized criminal operations.
## Detection Methods
- Signature-based detection: Identifying known malicious APK signatures corresponding to the 760+ discovered samples.
- Behavioral detection: Monitoring apps for abnormal requests for NFC permissions or the initiation of foreground services related to payment processing when not explicitly initiated by the user.
- YARA rules: Can be developed based on unique strings or code patterns identified in captured samples from the Zimperium IOC repository.
## Mitigation Strategies
- **Installation Restriction:** Avoid installing APKs from sources outside the official Google Play Store unless the publisher is absolutely trusted.
- **Official Channels:** Only install banking applications directly from the official bank websites/links.
- **Permission Review:** Scrutinize newly installed apps for suspicious permissions, particularly NFC access or foreground service privileges.
- **System Hardening:** Regularly scan devices using Android's built-in anti-malware tool (Play Protect).
- **NFC Management:** Disable NFC functionality completely when it is not actively being used.
## Related Tools/Techniques
- Banking Trojans (Traditional overlays)
- Remote Access Tools (RATs) used for fraudulent transactions (as a distinction from this NFC approach).
- Specific variants mentioned indirectly through associated reporting: 'NGate' Android malware, 'SuperCard-X' malware.