SuperCard X Android malware exploits NFC for ATM and POS fraud

SuperCard X Android malware exploits NFC for ATM and POS fraud

Cleafy's Threat Intelligence team has uncovered a new and highly sophisticated Android malware campaign dubbed ‘SuperCard X’, which is leveraging an advanced NFC-relay attack to authorize fraudulent transactions at Point-of-Sale (POS) terminals and Automated Teller Machines (ATMs).

Distributed via social engineering tactics, the malware deceives victims into installing a malicious app and subsequently "tapping" their payment cards on their infected phones. This allows threat actors (TAs) to intercept and relay sensitive card data in real-time using a modular system of apps called "Reader" and "Tapper", controlled via a central Command-and-Control (C2) infrastructure.

According to Cleafy, the malware is marketed via a Chinese-speaking Malware-as-a-Service (MaaS) platform, also named SuperCard X. Analysts have confirmed code-level similarities between this malware and NGate, a threat previously documented by ESET in 2024, as well as NFCGate, an open-source tool developed by the Technical University of Darmstadt.

The infection chain begins with SMS or WhatsApp phishing messages impersonating bank security alerts. Victims are urged to call a number to resolve a suspicious transaction, leading to a Telephone-Oriented Attack Delivery (TOAD) scenario. During the call, threat actors convince users to install the SuperCard X “Reader” app, providing them with login credentials that link their infected device to a “Tapper” device operated by the threat actor.

Once installed, the "Reader" app captures Answer To Reset (ATR) messages and NFC card data, transmitting them to the threat actor’s device, which uses them to emulate the card and perform unauthorized transactions.

Cleafy’s investigation revealed customized builds of the malware tailored for specific regions, with samples targeting users in Italy. The variants include obfuscation techniques to evade detection and remove visible links to the MaaS Telegram channel. Notably, SuperCard X currently shows a low detection rate among mainstream antivirus solutions, researchers noted.

Back to the list

Latest Posts

Hazy Hawk hijacks abandoned cloud resources of global orgs to spread scams and malware

Hazy Hawk hijacks abandoned cloud resources of global orgs to spread scams and malware

Hazy Hawk leverages “dangling” DNS CNAME records, allowing attackers to register the abandoned services and takeover subdomains associated with trusted brands.
21 May 2025
100+ websites lured victims into downloading malicious Chrome extensions

100+ websites lured victims into downloading malicious Chrome extensions

Once users were convinced to install the extensions, the malicious code harvested browser session cookies.
21 May 2025
EU sanctions Russian disinformation clusters operating across Africa and Europe

EU sanctions Russian disinformation clusters operating across Africa and Europe

The EU sanctioned Stark Industries, a Moldova-based bulletproof hosting company that has hosted a wide array of malicious activity, ranging from malware servers to websites linked to Doppelgang.
21 May 2025
Popular Posts
Featured vulnerabilities
Improper preservation of permissions in containerd CRI plugin
Low Patched | 21 May, 2025
Spoofing attack in Firefox for iOS
Medium Patched | 21 May, 2025
Remote denial of service in ISC BIND
Medium Patched | 21 May, 2025
Swagger UI update for libxml
High Patched | 21 May, 2025
Microcode signature verification bypass in AMD processors
Low Patched | 21 May, 2025