Ddos 
The Cleafy Threat Intelligence team has uncovered a new and sophisticated Android malware campaign, dubbed ‘SuperCard X,’ that employs a novel NFC-relay technique to conduct fraudulent financial transactions. This campaign enables attackers to authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.
SuperCard X is no ordinary banking Trojan. Instead, it harnesses a novel NFC-relay technique, allowing attackers to βfraudulently authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.β The attack starts with social engineering: victims are lured via SMS or WhatsApp into installing a seemingly harmless app and then tricked into βtappingβ their payment cards on their infected smartphonesβ.
The campaign is distributed as a Malware-as-a-Service (MaaS), advertised on Chinese-speaking cybercrime forums. The Cleafy team notes that βpreliminary analysis suggests that TAs are leveraging a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X.β Its codebase overlaps with the previously documented NGate malware, hinting at a growing and shared ecosystem of NFC-hacking tools.
The attack begins with social engineering tactics, where victims are deceived into installing a malicious application. Once installed, the malware prompts users to “tap” their payment cards on their infected phones. This allows the malware to capture and relay the NFC communication between the card and the device.
- Deceptive Messages: Fraudsters initiate the scam with SMS or WhatsApp alerts, masquerading as bank security notifications about suspicious payments.
- Telephone-Oriented Attack Delivery (TOAD): Victims are encouraged to call a number, where persuasive social engineers elicit card PINs and even guide them through removing card spending limits.
- Malicious App Installation: Attackers convince victims to download a malicious app, disguised as a security or verification tool, which houses the SuperCard X payload.
- NFC Data Capture: Victims are asked to βverifyβ their card by tapping it to their phone, at which point the malware intercepts and relays the NFC data to an attackerβs device.
- Fraudulent Transactions: The attacker uses a second, attacker-controlled device to perform unauthorized POS payments or ATM withdrawals.
As the report explains, βthe SuperCard X malware then silently captures the card details transmitted via NFC. This data is intercepted in real-time and relayed through a Command and Control (C2) infrastructure to a second, attacker-controlled Android device.β With this method, βfraudsters can perform unauthorized transactionsβ¦ typically involving contactless payments at POS terminals or, more alarmingly, contactless cash withdrawals at ATMsβ
Cleafyβs research found that affiliates can deploy custom builds of SuperCard X for different regions. For example, βa key customization observed in these specific Italian campaign samples is removing the βRegisterβ button,β pre-creating accounts for victims and streamlining the attack flow. The use of benign icons and the removal of obvious references to the MaaS platform further obscure the malwareβs true nature.
βGiven the potential for widespread impact due to the MaaS distribution model, we strongly recommend that banking institutions and card issuers maintain heightened vigilance regarding these emerging attack scenarios,β Cleafy urges.
Related Posts:
- Apple Breaks the Mold: iPhone NFC Opens to Third-Party Payments
- Oracle POS Systems exists a high risk flaw
- NFC Nightmare: New NGate Trojan Drains Bank Accounts via ATMs
- Microsoft submits patent for the new NFC standard on Windows 10 devices
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
