Add new Quark rule for NGate malware detection#931
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #931 +/- ##
=======================================
Coverage 78.89% 78.89%
=======================================
Files 81 81
Lines 7131 7131
=======================================
Hits 5626 5626
Misses 1505 1505
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
806c1d2 to
008e4ce
Compare
Added new malware entry for NGate with detailed behaviors.
This was referenced Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NGate Malware Family Analysis Report
A new Quark rule (#277) was generated to detect NFC reader-mode preparation and added to Quark's rule pool. NGate is an Android NFC banking trojan first documented by ESET in 2024, targeting Slovak banking customers. It is documented to weaponize the open-source NFCGate research toolkit to relay contactless payment card data from the victim's phone to an attacker-controlled device, enabling unauthorized point-of-sale and ATM transactions. Check here for the rule pool details.
Quark's rule classification flagged 14 of 14 NGate samples as high-risk in this experiment (detection rate 100%). Benign-cohort false-positive rate was not measured here. See tested APKs below.
Identified Well-Known Threats
This section uses MITRE ATT&CK Mobile as its reference taxonomy. NGate has no dedicated MITRE software entry. The techniques below were observed in NGate samples through Quark's static bytecode analysis.
All cluster representatives below were extracted from sample
98f2667aec5f74c0701467ea86c6a45a53604075f968263c12650759d157ba59.apk— chosen as the representative sample whose detected behaviors most fully cover the documented profile of NGate. The other 13 family samples were used to compute the detection-rate figure above.Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then walk through the call sequence and list the underlying rules.
1. T1644 Out of Band Data
T1644 Out of Band Data — attack.mitre.org
LK1/d;b(a ProGuard-renamed class operating onLandroid/nfc/Tag, consistent with the NFCGate-derived reader-mode initialization that NGate is documented to repackage) callsIsoDep.get(Tag)to acquire anIsoDephandle for the contactless card and thenIsoDep.setTimeout(int)on the same instance, with the IsoDep reference flowing directly between the two calls. Configuring a custom transceive timeout is uncharacteristic of legitimate payment apps (which use the platform default) and is the canonical setup step required before any subsequent APDU exchange over the NFC out-of-band channel.Behaviors detected by Quark:
2. T1406 Obfuscated Files or Information
T1406 Obfuscated Files or Information — attack.mitre.org
LO/q;onPrepareActionModeis one of nine distinct attacker-namespace parents in this sample where the malware dynamically resolves a method by name and invokes it via reflection. Spreading reflective dispatch across many short ProGuard-renamed classes obfuscates the actual call targets from static disassembly tools that match on direct call edges, falling under T1406's broader "otherwise obfuscating its contents" clause for control-flow obfuscation.Behaviors detected by Quark:
3. T1628.001 Suppress Application Icon
T1628.001 Suppress Application Icon — attack.mitre.org
LZ/h;run(an attacker-authored Runnable executed from background context) toggles the launcher activity'sComponentEnabledSettingtoCOMPONENT_ENABLED_STATE_DISABLED, hiding the app's icon from the device home screen. This delays user discovery of the installed app and makes uninstalling it harder.Behaviors detected by Quark:
List of Tested APKs
The table below lists the APKs we tested.
Companion rule PR: ev-flow/quark-rules#82