A new malware-as-a-service (MaaS) platform named ‘SuperCard X’ is emerging as a significant threat, specifically targeting Android devices through NFC relay attacks. This malware enables point-of-sale and ATM transactions using compromised payment card data, raising concerns among cybersecurity experts. As reported by mobile security firm Cleafy, SuperCard X is linked to Chinese-speaking threat actors and exhibits similarities to the open-source project NFCGate, as well as its malicious derivative, NGate, which has seen usage in Europe since last year.
The distribution of SuperCard X is facilitated through Telegram channels, which not only promote the platform but also provide direct support to users. In Italy, attacks utilizing this malware have reportedly been documented, with various samples showcasing subtle distinctions, suggesting that affiliates are offered tailored builds for regional preferences or needs.
The modus operandi of the SuperCard X attack begins with victims receiving fraudulent messages, often via SMS or WhatsApp, impersonating their bank. These messages prompt victims to call a provided number to resolve so-called transaction issues. Responding to the call, victims are met by scammers masquerading as bank representatives who use social engineering techniques to extract sensitive information such as card numbers and PINs. Subsequently, victims are persuaded to download a malicious application disguised as a security tool, which ultimately contains the SuperCard X malware.
Once activated, this malware requires minimal permissions, primarily access to the NFC module, allowing it to capture sensitive card information. The attackers then instruct victims to tap their payment cards against their phones, facilitating data theft, which is conducted with alarming efficiency. The captured data is sent to the attackers who utilize another application called Tapper to emulate the victim’s card, enabling them to carry out unauthorized contactless payments.
According to Cleafy, the SuperCard X malware has evaded detection on existing antivirus platforms, making it a sophisticated threat. Notably, its use of mutual TLS (mTLS) for securing communications enhances its resilience against interception, complicating efforts by law enforcement and researchers to analyze its operations. In light of the rise in such malware, a spokesperson from Google reassured users that no apps with this malware are currently found on the Google Play store, emphasizing that Android users benefit from protections like Google Play Protect, which warns of potential malicious activities.