Introduction
A sophisticated mobile malware campaign [6], known as “SuperCard X,” has been identified as a Malware-as-a-Service (MaaS) platform. This platform enables cybercriminals to conduct previously undocumented near-field communication (NFC) relay attacks, primarily targeting Android devices in Italy [4]. The malware is designed to facilitate unauthorized financial transactions at Automated Teller Machines (ATMs) and Point-of-Sale (POS) terminals by capturing and relaying credit card data through counterfeit banking applications.
Description
A sophisticated mobile malware campaign named “SuperCard X” has been identified [6], operating as a Malware-as-a-Service (MaaS) platform that enables cybercriminals to execute previously undocumented near-field communication (NFC) relay attacks primarily targeting Android devices in Italy. This malware is specifically designed to facilitate unauthorized financial transactions at Automated Teller Machines (ATMs) and Point-of-Sale (POS) terminals by capturing and relaying credit card data through fake banking applications.
Linked to Chinese-speaking threat actors [1] [4] [7], SuperCard X shares code similarities with the open-source NFCGate project and the previously active NGate malware in Europe [1]. The attack typically begins with targeted phishing messages sent via SMS or WhatsApp, warning victims about fake payments and directing them to a fraudulent bank support hotline [5]. During these interactions, scammers posing as bank representatives employ social engineering tactics to extract sensitive information, including card numbers and PINs. Victims are then deceived into installing a malicious application called ‘Reader,’ disguised as a security tool [4] [8], which requests minimal permissions [3] [4] [7] [8], primarily accessing the device’s NFC module [4] [8], allowing it to evade detection by security software [4].
Once installed, SuperCard X prompts victims to tap their payment card on their phone under the pretense of verifying their identity. This action enables the malware to read the card’s NFC chip data and transmit it in real time to a second Android device controlled by the attacker through a Command and Control (C2) infrastructure. The attacker can then use a companion application, “Tapper,” on this device to receive the stolen card information and execute unauthorized purchases or ATM withdrawals. The emulated cards used in these attacks are ATR-based [4], mimicking legitimate smartcard behavior and allowing the malware to bypass proximity constraints, making transactions appear normal to banks. The transactions are typically small, designed to evade detection [1] [4].
Custom builds of SuperCard X have been observed [2], tailored for specific regions [1] [2] [4], including an Italian variant that enhances the attack’s efficiency by removing the ‘Register’ button and pre-creating accounts for victims. The malware employs stealth techniques, avoiding suspicious permission requests and aggressive tactics like overlay attacks [1], which help it evade detection by antivirus software [1] [4]. Notably, SuperCard X utilizes mutual TLS (mTLS) for secure communication with command-and-control servers and implements certificate-based authentication to resist interception and analysis [4], indicating a high level of sophistication in its design and operation [4].
Currently, Google has reported no evidence of SuperCard X-infected apps on the Play Store [1], and users with Google Play Protect enabled are automatically protected from such threats [1]. This situation has prompted recommendations for banking institutions and card issuers to maintain heightened vigilance against these emerging threats [2], as the rapid and seemingly legitimate nature of these transactions makes detection and reversal by banks challenging. As a malware-as-a-service available on the dark web [8], SuperCard X poses a risk of spreading to other countries [8], including the US [8].
Conclusion
The emergence of SuperCard X highlights the evolving threat landscape in mobile cybersecurity, particularly concerning NFC relay attacks. Its sophisticated design and operation [4], coupled with its availability as a service on the dark web, underscore the need for heightened vigilance among banking institutions and card issuers. While current protections, such as Google Play Protect, offer some defense, the potential for this malware to spread to other regions, including the US [8], necessitates ongoing monitoring and adaptation of security measures to mitigate its impact effectively.
References
[1] https://www.thaicert.or.th/en/2025/04/21/new-android-malware-supercard-x-steals-credit-card-data-via-nfc-relay-attacks/
[2] https://securityonline.info/supercard-x-android-malware-steals-cards-via-nfc-relay-attacks/
[3] https://www.astrill.com/blog/supercard-x-malware-targets-android-users/
[4] https://dailysecurityreview.com/security-spotlight/new-android-malware-supercard-x-enables-nfc-relay-attacks-for-payment-card-theft/
[5] https://www.wizcase.com/news/android-nfc-malware-supercardx-card-data-fraud/
[6] https://www.infosecurity-magazine.com/news/supercard-x-contactless-atm-fraud/
[7] https://cybermaterial.com/supercard-x-malware-targets-nfc-payments/
[8] https://www.tomsguide.com/computing/malware-adware/hackers-are-impersonating-banks-to-infect-your-android-phone-with-credit-card-stealing-malware
