Listen to this Post
Introduction:
A sophisticated Android malware campaign dubbed NGate has been discovered in Spain, combining fake app distribution, NFC relay attacks, and PIN harvesting to enable unauthorized ATM withdrawals. This malware-as-a-service (MaaS) operation, linked to the Devil NFC infrastructure, tricks victims into tapping their payment cards while capturing their PINs – then relays the data in real time to criminals who clone cards or perform ATM cashouts. Understanding NFC relay mechanics and mobile forensic indicators is now critical for security teams and Android users alike.
Learning Objectives:
- Understand how NGate abuses Android’s NFC capabilities to relay payment card data from a victim’s phone to an attacker’s device.
- Learn to identify malicious domains, C&C communication patterns, and SMS exfiltration indicators using Linux and Windows command-line tools.
- Implement mitigation techniques, including network-level blocking, Android permission hardening, and user education against fake “security app” lures.
You Should Know:
- Inside the NGate NFC Relay Attack – How Criminals Bypass Contactless Limits
The NGate malware does not need to break cryptography. Instead, it performs a classic NFC relay attack: the victim’s phone acts as a proxy between a legitimate payment card and a criminal’s terminal at an ATM. When the victim taps their card, the malware captures the card’s EMV data and forwards it over the internet to a remote “relay server.” An accomplice with a modified Android device or Proxmark3 then plays back that data to an ATM, withdrawing cash as if they held the physical card.
Step‑by‑step guide to simulate and understand the relay flow (for research/defense only):
On Linux – monitor NFC traffic using nfc-list (requires libnfc) sudo apt install libnfc-bin nfc-list Capture raw APDUs (if compatible hardware present) nfc-poll | tee nfc_capture.log On Windows – use NFC Tools Pro (GUI) or PowerShell with USB NFC reader Enumerate smartcard readers powershell "Get-PnpDevice -Class SmartCardReader | Select-Object FriendlyName, Status"
How NGate uses this: The malware requests NFC permission (android.permission.NFC) and runs a background service that listens for card taps. Once a tap occurs, it collects the card’s UID and encrypted transaction data, then packages them into a JSON payload sent to the C&C. The C&C forwards to a relay server, which an attacker’s device polls. The PIN is obtained separately via a phishing overlay.
Mitigation check:
- Disable NFC when not in use (Android Quick Settings).
- Use RFID-blocking wallets for physical cards.
- Monitor for apps requesting `NFC` + `INTERNET` + `RECEIVE_SMS` permissions together.
- Hunting IOCs – Domains, Hashes, and C&C Traffic Analysis
ESET researchers released a public IoC set for NGate at:
`https://github.com/eset/malware-ioc/tree/master/ngate`
Key indicators include:
- Fake distribution domain: `seguridad-nfc[.]com` (impersonating “Seguridad NFC – Bloqueador de Cargos”)
- Admin panel domain: `devilxclusive[.]lol`
– C&C communication over HTTPS with JSON endpoints like `/api/v1/relay` and `/api/v1/upload`Linux commands to hunt for indicators in network logs:
Extract suspicious domains from pcap tshark -r capture.pcap -Y "dns.qry.name contains 'seguridad-nfc' or dns.qry.name contains 'devilxclusive'" -T fields -e dns.qry.name Monitor live connections to known bad IPs (use IoC IPs from GitHub) sudo tcpdump -i eth0 -n 'host 185.130.5.253 or host 45.142.212.100' -w ngate_traffic.pcap Check for malicious APKs by hash (using sha256sum) sha256sum suspicious.apk Compare with known hashes from eset/malware-ioc
Windows PowerShell (admin) for process and network hunting:
Find processes with outbound connections to suspicious ports
Get-NetTCPConnection | Where-Object {$<em>.RemotePort -eq 443 -and $</em>.State -eq 'Established'} | Select-Object -Unique OwningProcess
Check DNS cache for malicious domains
ipconfig /displaydns | Select-String "seguridad-nfc"
Block domains via hosts file
Add-Content -Path "$env:windir\System32\drivers\etc\hosts" -Value "0.0.0.0 devilxclusive.lol"
- Phishing Templates and PIN Harvesting – Android Overlay Attacks
NGate does not rely on system vulnerabilities; it uses accessibility services and overlay windows to display fake bank login or account lock warnings. In this campaign, we observed impersonation of Santander Bank. The overlay asks for the card’s PIN under the guise of “verifying identity” or “unlocking your account.”
How to detect overlay attacks programmatically (Android Debug Bridge):
List running accessibility services (Linux/macOS/Windows with ADB) adb shell settings get secure enabled_accessibility_services Dump current foreground window adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp' Monitor new overlay windows (requires root on some devices) adb logcat | grep -i "WindowManager.overlay"
Training for users:
- Never enter your PIN into any app or webpage that appears after tapping your card.
- Legitimate bank apps will not request PIN via popups.
- Check app package name: go to Settings > Apps > look for “Seguridad NFC” – if not published by a verified developer (Google Play Protect warning), uninstall immediately.
4. Hardening Android Devices Against MaaS Malware
Because NGate is distributed via a fake Google Play website (not the official store), users must sideload it. However, many Android users disable “Play Protect” or allow installation from unknown sources.
Recommended configuration commands (via ADB or device settings):
Ensure Google Play Protect is enabled adb shell settings put global package_verifier_enable 1 adb shell settings put global verifier_timeout 120000 Disable installation from unknown sources (Android 8+) adb shell settings put secure install_non_market_apps 0 Revoke NFC permission for all non-essential apps (example for a package): adb shell pm revoke com.malicious.app android.permission.NFC
For enterprise managed devices, use Android Enterprise to block sideloading entirely and force app whitelisting via EMM (e.g., VMware Workspace ONE, Microsoft Intune). On Samsung Knox, enable “Enhanced NFC security” to require user confirmation for each card tap.
- Network Detection & Cloud Hardening – Blocking C&C at the Edge
The NGate backend uses dynamic relay servers returned by the C&C. A simple static IP block is insufficient; instead, deploy TLS inspection with SNI filtering or use threat intelligence feeds.
Example Suricata/Snort rule to detect NGate beaconing:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NGate NFC relay beacon"; flow:to_server,established; content:"POST"; http_method; content:"/api/v1/relay"; http_uri; content:"User-Agent|3a| Android"; http_header; sid:1000001; rev:1;)
Linux iptables to drop traffic to known bad domains (using domain blacklist):
Using dnsmasq to sinkhole; or with iptables + string match (less efficient) sudo iptables -A FORWARD -m string --string "devilxclusive.lol" --algo bm -j DROP Better: use a DNS sinkhole like Pi-hole with the IoC domain list
Cloud hardening (AWS Network Firewall / Azure Firewall):
- Deploy a threat intelligence filter that consumes the ESET NGate IoC list (available in STIX/TAXII format from ESET’s GitHub).
- Enable TLS decryption (where legally permitted) to inspect HTTP/2 POST payloads.
- Set up alerting for high-frequency NFC-related API calls from a single source IP.
- Forensic Artifacts – SMS Exfiltration and Log Analysis
Once installed, NGate exfiltrates SMS messages – often to intercept 2FA codes or transaction verification texts. Forensic investigators can recover these artifacts even after the malware attempts to delete them.
Linux forensics on an Android backup:
Extract SMS database from an ADB backup adb backup -f backup.ab -noapk com.android.providers.telephony dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys; sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tar tar -xf backup.tar sqlite3 apps/com.android.providers.telephony/databases/mmssms.db "SELECT address, date, body FROM sms WHERE body LIKE '%2FA%' OR body LIKE '%código%';"
Windows – using Belkasoft Evidence Center or Magnet AXIOM:
– Import the device image (physical or logical).
– Search for `ngate` or `devilxclusive` in SQLite databases, logs, and shared preferences.
– Check `/data/data/[bash]/shared_prefs/` for base64-encoded C&C URLs.
What Undecode Say:
- Card cloning is now a mobile-first threat – attackers no longer need skimmers; they just need you to install one app and tap your card once.
- Defense requires both user education and network-level IoC blocking – no single control stops relay attacks, but layered permissions (NFC + Internet + Overlay) should trigger automatic quarantine.
- The rise of MaaS for NFC abuse means smaller crime groups can participate – expect similar campaigns targeting other countries with localized bank brands and languages.
Prediction:
Within 12–18 months, NGate-like techniques will evolve to bypass PIN requirements using on-device machine learning to guess PINs from accelerometer data (tap timing) or via automated phishing that leverages leaked PII from previous breaches. We will also see NFC relay attacks moving to wearables – smartwatches with NFC and cellular connectivity become ideal relay nodes. Banks may be forced to abandon contactless for high-value transactions or implement per-transaction biometrics on mobile wallets. Security training must urgently add “NFC hygiene” alongside phishing awareness.
▶️ Related Video (68% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Lukasstefanko Spain – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
