Pierluigi Paganini
April 21, 2025
Cleafy researchers discovered a new malware-as-a-service (MaaS) called SuperCard X targeting Android devices with NFC relay attacks for fraudulent cash-outs.
Attackers promote the MaaS through Telegram channels, analysis shows SuperCard X builds had Telegram links removed, likely to hide affiliate ties and hinder attribution, suggesting efforts to evade detection. Analysis of the SuperCard X campaign in Italy revealed custom malware builds tailored for regional use.
This campaign uses an NFC-relay technique to hijack POS and ATM transactions by relaying intercepted card data. The malware is delivered via social engineering, attackers attempt to trick victims into tapping cards on infected phones. The researchers linked the campaign to the Chinese-speaking MaaS platform “SuperCard X,” they noticed the malware shares code with the NGate malware.
The fraud campaign starts with fake bank alerts via SMS or WhatsApp, luring victims to call attackers. Calls enable social engineering in a Telephone-Oriented Attack Delivery (TOAD) scenario.
During calls, attackers use social engineering to extract card PINs, guide victims to remove card limits, and trick them into installing a malicious app (hiding SuperCard X). Once installed, the malware captures NFC card data when victims tap their card, relays it to attacker devices, and enables fraudulent POS or ATM transactions.
“Exploiting the victim’s potential anxiety regarding the fraudulent transaction, the TAs convince them to “reset” or “verify” their card. Since victims often do not recall their PIN immediately, the attackers guide them through their mobile banking application to retrieve this sensitive information.” reads the report published by Cleafy. “Once they have gained the victim’s trust and potentially their banking app access (through verbal guidance), the TAs instruct the victim to navigate to the card settings within their banking app and remove any existing spending limits on their debit or credit card. This crucial step maximizes the potential for fraudulent cash-out. Subsequently, the TAs persuade the victim to install a seemingly innocuous application. A link to this malicious app, often disguised as a security tool or a verification utility, is sent via SMS or WhatsApp. Without the victim’s knowledge, this application hides the SuperCard X malware, incorporating the NFC-relay functionality.”
SuperCard X uses a modular setup with two apps: “Reader” (blue icon) is deployed on victim devices to capture NFC card data, and the “Tapper” (green icon) that runs on attacker devices to relay and misuse the stolen data.
The “Reader” and “Tapper” are linked via a shared C2 server over HTTP. Affiliates authenticate through login credentials, which bind the victim’s Reader to the attacker’s Tapper for real-time NFC data relay. The malware also uses stored ATR messages to enable card emulation, helping attackers trick POS terminals and ATMs into accepting the relayed card as genuine.
The malware maintains a low detection rate among antivirus solutions due to its minimal permission model and narrow focus on NFC relay attacks. Unlike complex banking trojans, it only requests essential permissions like android.permission.NFC, helping it appear harmless while enabling effective fraud.
While the core NFC relay function stayed intact, affiliates removed Telegram links and the “Register” button, as attackers pre-create accounts for victims. These tweaks, along with benign-looking icons and names, help reduce suspicion and hinder detection or attribution.
“this new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC. This process allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers.” concludes the report. “Another noteworthy aspect of this malware is its low fingerprinting profile.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
