A sophisticated Android malware campaign dubbed ‘SuperCard X’ has emerged as a significant threat to financial institutions and cardholders worldwide.
This new malicious software employs an innovative Near-Field Communication (NFC) relay technique that enables attackers to fraudulently authorize Point-of-Sale (POS) payments and perform Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.
The malware operates through a well-orchestrated fraud scheme combining social engineering tactics with technological exploitation, creating a seamless bridge between victims’ payment cards and attackers’ devices regardless of physical location.
.png
)
Unlike traditional banking trojans that focus on credential theft or screen overlays, SuperCard X represents an evolution in mobile threats by targeting the physical communication layer between payment cards and terminals.
The malware is distributed through carefully crafted social engineering campaigns, where victims receive deceptive messages impersonating bank security alerts about suspicious transactions.
When victims call the provided number, they unwittingly engage with threat actors who guide them through a series of actions ultimately leading to the compromise of their payment credentials.
Cleafy Threat Intelligence researchers identified this campaign as part of a broader Chinese-speaking Malware-as-a-Service (MaaS) platform.
Their analysis revealed significant code similarities between SuperCard X and the open-source NFCGate tool developed by the Technical University of Darmstadt, as well as another Android malware called NGate that targeted the Czech Republic earlier in 2024.
What distinguishes SuperCard X is its streamlined focus on NFC relay functionality with minimal additional features, allowing it to maintain an unusually low detection profile.
The impact of this threat extends beyond traditional banking fraud paradigms, as it directly targets payment card transactions rather than specific banking institutions.
This agnostic operational approach means virtually any card issuer’s customers could become victims.
Furthermore, the instantaneous nature of these transactions—resembling “instant payments” but with immediate access to goods, services, or cash—creates a dual advantage for fraudsters: rapid fund movement and immediate transaction benefit.
.webp)
The complete fraud scenario unfolds in a meticulously planned sequence. After initial contact through SMS or WhatsApp and subsequent phone manipulation, attackers convince victims to install the malicious “Reader” application on their smartphones.
Victims are then instructed to tap their payment cards against their infected phones, unwittingly transmitting their card data through the malware to the attackers’ “Tapper” device, which can instantly execute fraudulent transactions at remote locations.
Technical Architecture of the NFC Relay Attack
The SuperCard X malware employs a two-component architecture consisting of a “Reader” application installed on victims’ devices and a “Tapper” application controlled by the attackers.
.webp)
These components communicate through HTTP protocol via a Command and Control (C2) infrastructure provided by the MaaS platform.
To ensure proper routing between various MaaS affiliates, both applications require authentication credentials, which attackers pre-generate and provide to victims during the social engineering phase.
The malware’s technical sophistication is evident in its embedded file containing multiple Answer To Reset (ATR) messages, which are typically used to initiate communication parameters between smart cards and NFC readers.
.webp)
By leveraging these ATRs SuperCard X can deceive POS terminals or ATMs into recognizing the attacker’s device as a legitimate physical card, effectively bypassing proximity constraints.
SuperCard X maintains its stealth through a minimalistic permission model, primarily requesting only the essential android.permission.NFC permission alongside standard, non-suspicious permissions associated with basic application functionality.
This deliberate limitation in requested permissions allows it to perform its malicious core function while maintaining a benign profile, resulting in extremely low detection rates among antivirus solutions.
The malware further secures its operations through mutual TLS (mTLS) authentication for communication with its C2 infrastructure, preventing unauthorized analysis attempts.
Custom builds for specific campaigns, such as those targeting Italian users, feature modifications to streamline the user experience and remove references to the MaaS platform’s Telegram channels, making attribution more challenging for security researchers.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
