SuperCard X is a newly identified malware-as-a-service (MaaS) platform that targets Android handsets using an advanced NFC relay technique. The malware exploits Near Field Communication (NFC) technology to execute relay attacks, enabling attackers to carry out fraudulent point-of-sale (POS) payments and ATM withdrawals using stolen credit card information.
SuperCard X operates by intercepting NFC data from compromised Android phones. Attackers use social engineering to trick victims into entering their credit card information on compromised devices.
Fraudsters can intercept payment card information via the NFC relay attack when a victim uses their compromised phone close to a contactless reader, such as an ATM or a store checkout.
The malware then sends this information to another device controlled by the attacker, allowing them to make fraudulent payments or even withdraw cash.
Security experts believe SuperCard X is linked to Chinese-speaking cybercriminals. The malware shares significant code similarities with the open-source project NFCGate and its malicious offshoot NGate, which has been facilitating attacks across Europe since last year.
The Android malware campaign was discovered by Italian mobile security firm Cleafy, which confirmed activities of SuperCard X being used in targeted attacks in Italy. Analysts discovered multiple versions of the malware, each targeting specific locations or objectives. The operators give affiliates customized builds based on those targets.
Analysis of the SuperCard X activity in Italy also revealed that links back to Telegram were removed from the malware builds. Because of this, it is more difficult to trace the attacks back to the core SuperCard X service and its operators, indicating that the criminals are trying to cover their tracks.
How SuperCard X Bypasses Detection and Enables Real-Time NFC Card Cloning
Scammers are leveraging WhatsApp and SMS to distribute this malware campaign, targeting bank customers with fake messages claiming to be from their bank and warning of suspicious activity. Victims are instructed to call a helpline for support.
On the call, a fraudster impersonates a bank representative. Using social engineering, they persuade the victim to disclose their card number and PIN, and to disable spending limits in their banking app.
The attackers then instruct the victim to install an app called Reader, disguised as a security tool. This app contains the SuperCard X malware, a new threat engineered to steal card data using the device’s NFC module.
The Reader application only asks for NFC access after installation. Then, for verification, the fraudsters tell the victim to tap their bank card against their phone. However, this enables the malware to access and steal data from the card chip.
The attackers receive the stolen information and use an Android device’s Tapper app to simulate the victim’s card. This bypasses typical security measures, enabling unauthorised contactless transactions.
SuperCard X, unlike other banking malware, does not rely on credential theft or screen overlays. Instead, it targets the physical connection between cards and terminals. Its minimal features make it hard to detect.
According to Cleafy, SuperCard X is presently undetectable by malware scanners on VirusTotal. It also avoids risky permission requests and aggressive actions such as screen overlay attacks, which aids it in avoiding systematic checks. Payment terminals see the card as authentic due to its usage of ATR (Answer to Reset) emulation. This improves its technical credibility and shows a solid understanding of smartcard protocols.
One notable aspect is the usage of mutual TLS (mTLS), which encrypts connection with the command-and-control (C2) infrastructure. This keeps data safe from interception by researchers or law enforcement.
Cleafy also identified different Reader malware variants with minor differences in login screens, indicating that affiliates are likely generating customised versions for specific campaigns. In response to such threats, Google is developing a new Android feature that will block app installations from unknown sources and restrict access to accessibility settings during phone calls.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
