Cyble Research and Intelligence Labs (CRIL) uncovered RelayNFC, an Android malware campaign in Brazil that uses phishing sites to install a React Native app which relays NFC APDU commands in real time over WebSockets to attacker-controlled servers to complete contactless payments. The malware uses Hermes bytecode to hinder static analysis and includes a variant experimenting with Host Card Emulation (HCE); VirusTotal detections are currently zero. #RelayNFC #Hermes
Keypoints
- RelayNFC implements a full real-time APDU relay channel over WebSockets, allowing attackers to complete EMV transactions remotely as if the victim’s card were present.
- Distribution is entirely phishing-driven, using multiple Portuguese-language impostor sites that prompt victims to install a malicious APK.
- The malware is built with React Native and compiled to Hermes bytecode (index.android.bundle), complicating static analysis and detection.
- RelayNFC operates in a “reader” role: it prompts users to tap their card and enter PINs, forwards APDU commands to the NFC subsystem, and returns authentic APDU responses to the attacker.
- A related variant includes a RelayHostApduService implementing HCE (Host-based Card Emulation) and forwards APDU via WebSocket, although the HCE service was not registered in the manifest and appears under development.
- Samples show zero VirusTotal detections and C2 communication uses WebSockets on non-standard port 3000, indicating low visibility and active development by the operators.
MITRE Techniques
- [T1660 ] Phishing – Distribution via phishing pages that prompt users to install the malicious app; quote: ‘Malware is distributed via a phishing site’
- [T1426 ] System Information Discovery – The malware collects device details to support its operation; quote: ‘Malware collects device information’
- [T1417.002 ] Input Capture: GUI Input Capture – The app displays phishing screens to capture PINs from victims; quote: ‘Malware loads the phishing page to enter the PIN’
- [T1437.001 ] Application Layer Protocol: Web Protocols – C2 and relay channel use HTTP/WebSocket application-layer protocols for APDU forwarding; quote: ‘Malware uses http protocol’
- [T1509 ] Non-Standard Port – The malware establishes WebSocket connections over port 3000 for command-and-control and relay traffic; quote: ‘Malware establishes a WebSocket connection over port 3000’
Indicators of Compromise
- [SHA256 ] RelayNFC sample hashes – 5905aa58853a05e860c87e9feeeea7c32b43859c8e703485e233429cec8d38dc, 5df7ded7e5ba815f563193140e4f303fff50c78aac475b7c3409b0271131dbab, and 3 more hashes
- [URL ] Phishing distribution sites – hxxps://maisseguraca[.]site/, hxxp://proseguro[.]site/, and 3 more phishing URLs
- [URL C&C server ] WebSocket / command-and-control endpoints (IP:port) – hxxp://31.97[.]17.73:3000, hxxp://72.60[.]255.182:3000, and 3 more IP:3000 entries
- [File Name ] Malicious APK – cartao-seguro.apk (associated SHA-256: 5905aa58853a05e860c87e9feeeea7c32b43859c8e703485e233429cec8d38dc) distributed from a phishing site
Read more: https://cyble.com/blog/relaynfc-nfc-relay-malware-targeting-brazil/