SuperCard X: New Sophisticated Malware Targets Android via NFC Relay Attacks

TL;DR

A new malware-as-a-service (MaaS) called SuperCard X targets Android devices via NFC relay attacks, enabling fraudulent POS and ATM transactions. This sophisticated attack uses social engineering and a modular setup to steal card data and bypass security measures.

New Sophisticated Malware SuperCard X Targets Android Devices via NFC Relay Attacks

Researchers at Cleafy have uncovered a new malware-as-a-service (MaaS) called SuperCard X, which targets Android devices through NFC relay attacks to facilitate fraudulent cash withdrawals ¹.

Modus Operandi of SuperCard X

SuperCard X is promoted through Telegram channels, although recent builds have had Telegram links removed to conceal affiliate connections and hinder attribution. This suggests efforts to evade detection. The campaign, observed in Italy, employs custom malware builds tailored for regional use ¹.

The attack begins with fake bank alerts sent via SMS or WhatsApp, luring victims into contacting the attackers. This initiates a Telephone-Oriented Attack Delivery (TOAD) scenario, where attackers use social engineering to extract card PINs and guide victims to remove card limits. Victims are then tricked into installing a malicious app disguised as a security tool, which contains the SuperCard X malware ¹.

Technical Details

The malware uses an NFC-relay technique to hijack POS and ATM transactions by relaying intercepted card data. The campaign is linked to the Chinese-speaking MaaS platform “SuperCard X,” which shares code with the NGate malware ².

SuperCard X operates with two apps:

1. Reader (blue icon): Deployed on victim devices to capture NFC card data.
2. Tapper (green icon): Runs on attacker devices to relay and misuse the stolen data.

These apps are linked via a shared C2 server over HTTP, with affiliates authenticating through login credentials. The malware also uses stored ATR messages to enable card emulation, helping attackers trick POS terminals and ATMs into accepting the relayed card as genuine ¹.

Evasion Techniques

The malware maintains a low detection rate among antivirus solutions due to its minimal permission model, requesting only essential permissions like android.permission.NFC. This helps it appear harmless while enabling effective fraud. Affiliates have removed Telegram links and the “Register” button, as attackers pre-create accounts for victims. These tweaks, along with benign-looking icons and names, help reduce suspicion and hinder detection or attribution ¹.

Impact and Significance

This new threat stands out due to its fraud mechanism, which relies on a novel NFC technique. This process allows attackers to access stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers. The malware’s low fingerprinting profile makes it particularly stealthy ¹.

Conclusion

The discovery of SuperCard X highlights the evolving landscape of cyber threats targeting Android devices. Its sophisticated use of NFC relay attacks and social engineering underscores the need for vigilance and robust security measures to protect against such fraudulent activities.

Additional Resources

For further insights, check:

• Cleafy Report on SuperCard X
• BleepingComputer on NGate Malware

References

1. Cleafy Labs (2025). “SuperCard X: Exposing Chinese-speaker MaaS for NFC relay fraud operation”. Cleafy. Retrieved 2025-04-21. ↩︎ ↩︎² ↩︎³ ↩︎⁴ ↩︎⁵ ↩︎⁶

2. BleepingComputer (2025). “Hackers steal banking creds from iOS, Android users via PWA apps”. BleepingComputer. Retrieved 2025-04-21. ↩︎