Ddos 
The Cleafy Threat Intelligence team has uncovered a new and sophisticated Android malware campaign, dubbed ‘SuperCard X,’ that employs a novel NFC-relay technique to conduct fraudulent financial transactions. This campaign enables attackers to authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.
SuperCard X is no ordinary banking Trojan. Instead, it harnesses a novel NFC-relay technique, allowing attackers to “fraudulently authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.” The attack starts with social engineering: victims are lured via SMS or WhatsApp into installing a seemingly harmless app and then tricked into “tapping” their payment cards on their infected smartphones.
The campaign is distributed as a Malware-as-a-Service (MaaS), advertised on Chinese-speaking cybercrime forums. The Cleafy team notes that “preliminary analysis suggests that TAs are leveraging a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X.” Its codebase overlaps with the previously documented NGate malware, hinting at a growing and shared ecosystem of NFC-hacking tools.
The attack begins with social engineering tactics, where victims are deceived into installing a malicious application. Once installed, the malware prompts users to “tap” their payment cards on their infected phones. This allows the malware to capture and relay the NFC communication between the card and the device.
- Deceptive Messages: Fraudsters initiate the scam with SMS or WhatsApp alerts, masquerading as bank security notifications about suspicious payments.
- Telephone-Oriented Attack Delivery (TOAD): Victims are encouraged to call a number, where persuasive social engineers elicit card PINs and even guide them through removing card spending limits.
- Malicious App Installation: Attackers convince victims to download a malicious app, disguised as a security or verification tool, which houses the SuperCard X payload.
- NFC Data Capture: Victims are asked to “verify” their card by tapping it to their phone, at which point the malware intercepts and relays the NFC data to an attacker’s device.
- Fraudulent Transactions: The attacker uses a second, attacker-controlled device to perform unauthorized POS payments or ATM withdrawals.
As the report explains, “the SuperCard X malware then silently captures the card details transmitted via NFC. This data is intercepted in real-time and relayed through a Command and Control (C2) infrastructure to a second, attacker-controlled Android device.” With this method, “fraudsters can perform unauthorized transactions… typically involving contactless payments at POS terminals or, more alarmingly, contactless cash withdrawals at ATMs”
Cleafy’s research found that affiliates can deploy custom builds of SuperCard X for different regions. For example, “a key customization observed in these specific Italian campaign samples is removing the ‘Register’ button,” pre-creating accounts for victims and streamlining the attack flow. The use of benign icons and the removal of obvious references to the MaaS platform further obscure the malware’s true nature.
“Given the potential for widespread impact due to the MaaS distribution model, we strongly recommend that banking institutions and card issuers maintain heightened vigilance regarding these emerging attack scenarios,” Cleafy urges.
Donate