Skip to content

Add rule for NGate and sync score-adjusted rules#82

Merged
haeter525 merged 2 commits into
ev-flow:masterfrom
pulorsok:add-ngate-rule
Jun 23, 2026
Merged

Add rule for NGate and sync score-adjusted rules#82
haeter525 merged 2 commits into
ev-flow:masterfrom
pulorsok:add-ngate-rule

Conversation

@pulorsok

@pulorsok pulorsok commented Jun 22, 2026

Copy link
Copy Markdown
Member

This PR adds a new rule (#00277) detecting NFC reader-mode preparation, used by NGate (Android NFC banking trojan, ESET 2024).

The rule pairs Landroid/nfc/tech/IsoDep;get with Landroid/nfc/tech/IsoDep;setTimeout — the canonical NFCGate-derived setup sequence required before APDU exchange over the NFC out-of-band channel.

Trained discrimination:

  • mal L5 hit rate: 26/623 = 4.2%
  • ben L5 hit rate: 0/190 = 0.0%
  • mal:ben ratio: ∞ (zero benign hits)
  • trained score: 1.02

This PR also syncs score-adjusted weights for all existing pool rules retrained against the NGate-inclusive corpus, matching the convention of recent malware-detection PRs (#80 Cerberus, #76 TangleBot, #74 Godfather).

Companion analysis report PR: ev-flow/quark-engine#931

@haeter525 haeter525 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@pulorsok pulorsok changed the title Add rule for NGate Add rule for NGate and sync score-adjusted rules Jun 23, 2026
@haeter525 haeter525 merged commit e5f71b1 into ev-flow:master Jun 23, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants