Skip to content

Add new Quark rule for NGate malware detection#931

Merged
haeter525 merged 3 commits into
ev-flow:masterfrom
pulorsok:add-ngate-report
Jun 24, 2026
Merged

Add new Quark rule for NGate malware detection#931
haeter525 merged 3 commits into
ev-flow:masterfrom
pulorsok:add-ngate-report

Conversation

@pulorsok

@pulorsok pulorsok commented Jun 22, 2026

Copy link
Copy Markdown
Member

NGate Malware Family Analysis Report

A new Quark rule (#277) was generated to detect NFC reader-mode preparation and added to Quark's rule pool. NGate is an Android NFC banking trojan first documented by ESET in 2024, targeting Slovak banking customers. It is documented to weaponize the open-source NFCGate research toolkit to relay contactless payment card data from the victim's phone to an attacker-controlled device, enabling unauthorized point-of-sale and ATM transactions. Check here for the rule pool details.

Quark's rule classification flagged 14 of 14 NGate samples as high-risk in this experiment (detection rate 100%). Benign-cohort false-positive rate was not measured here. See tested APKs below.

Identified Well-Known Threats

This section uses MITRE ATT&CK Mobile as its reference taxonomy. NGate has no dedicated MITRE software entry. The techniques below were observed in NGate samples through Quark's static bytecode analysis.

MITRE Technique Real-world manifestation in NGate
T1644 Out of Band Data Configuring the IsoDep NFC reader with a non-default transceive timeout — the canonical preparation step required before APDU exchange over the NFC out-of-band channel, used by NGate as part of its documented contactless-card relay chain
T1406 Obfuscated Files or Information Dynamic method invocation via Java reflection from many attacker-authored classes, hiding the malware's true control flow from static analysis tools
T1628.001 Suppress Application Icon Programmatically hiding the malicious app's launcher icon after installation to delay user detection and removal

All cluster representatives below were extracted from sample 98f2667aec5f74c0701467ea86c6a45a53604075f968263c12650759d157ba59.apk — chosen as the representative sample whose detected behaviors most fully cover the documented profile of NGate. The other 13 family samples were used to compute the detection-rate figure above.

Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then walk through the call sequence and list the underlying rules.

1. T1644 Out of Band Data

T1644 Out of Band Data — attack.mitre.org

MITRE definition (T1644): Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks. Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.

LK1/d;b (a ProGuard-renamed class operating on Landroid/nfc/Tag, consistent with the NFCGate-derived reader-mode initialization that NGate is documented to repackage) calls IsoDep.get(Tag) to acquire an IsoDep handle for the contactless card and then IsoDep.setTimeout(int) on the same instance, with the IsoDep reference flowing directly between the two calls. Configuring a custom transceive timeout is uncharacteristic of legitimate payment apps (which use the platform default) and is the canonical setup step required before any subsequent APDU exchange over the NFC out-of-band channel.

Behaviors detected by Quark:

2. T1406 Obfuscated Files or Information

T1406 Obfuscated Files or Information — attack.mitre.org

MITRE definition (T1406): Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

LO/q;onPrepareActionMode is one of nine distinct attacker-namespace parents in this sample where the malware dynamically resolves a method by name and invokes it via reflection. Spreading reflective dispatch across many short ProGuard-renamed classes obfuscates the actual call targets from static disassembly tools that match on direct call edges, falling under T1406's broader "otherwise obfuscating its contents" clause for control-flow obfuscation.

Behaviors detected by Quark:

3. T1628.001 Suppress Application Icon

T1628.001 Suppress Application Icon — attack.mitre.org

MITRE definition (T1628.001): A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.

LZ/h;run (an attacker-authored Runnable executed from background context) toggles the launcher activity's ComponentEnabledSetting to COMPONENT_ENABLED_STATE_DISABLED, hiding the app's icon from the device home screen. This delays user discovery of the installed app and makes uninstalling it harder.

Behaviors detected by Quark:

List of Tested APKs

The table below lists the APKs we tested.

index sha256
1 0E2AEE7B6CF50249520F0F824EA52F7770E2D2A791F0E6D94C514B11ED482FA4
2 162F8C6BAFE0C343C37F173344C4F6880EAEC0AEA7B491565DB874366B161784
3 17A16F08108E25AF1C8B058ADBACA2CADA6A93C2D38C9854148F9E9CAAC76AC3
4 1D126E5904DDE3B46175A4AAE89EEC1FB8A6B80E35B1F473878E5DD288F8AAE6
5 31FDAA61CADD545C4C859ED255ADA413CBB09B2201F047745A7374EC1D54AA43
6 3CB4B373A24AFB10B8003762E763E6B44008BDF9A58D0A9A2B80A5DE68308ECD
7 45BBA7681E5A2C3512E6337BAED739D3AF30AF5BFC9FFE0AE18E211E068274A1
8 54EAC45F3F5AC121C74C2EF66923CD3DA5A5DC8B03BF3E4C43935FCC1E5F6EED
9 5CFE6EC669BE05D457D9B98CDD76901CC8913AE9F4E8B1A29D97770C6925A5C4
10 9220B2F18DD79BEF1D9B3739D42DA538BFBCC73CDA4F9B0028C2F425BE501FB1
11 95D906DCA5A3BE5CF066268662B3C953860E54E9CDCFCD427FAF0AAA9CB62BAD
12 98F2667AEC5F74C0701467EA86C6A45A53604075F968263C12650759D157BA59
13 C659454DD6ED62BC7A0C9E0455297E41BA57B0B7935A826150C1F8C0DB6F89D2
14 E19A7C8E4994EA4ED680136C9E3A6FFF7B82C72F5743952821A446B6CB830F06

Companion rule PR: ev-flow/quark-rules#82

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.89%. Comparing base (86b84cf) to head (1d45464).

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #931   +/-   ##
=======================================
  Coverage   78.89%   78.89%           
=======================================
  Files          81       81           
  Lines        7131     7131           
=======================================
  Hits         5626     5626           
  Misses       1505     1505           
Flag Coverage Δ
unittests 78.89% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@haeter525 haeter525 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Added new malware entry for NGate with detailed behaviors.
@haeter525 haeter525 merged commit 1df1d49 into ev-flow:master Jun 24, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants