SuperCard X: New MaaS Malware Targets Androids with NFC Relay Attacks for Fraudulent Transactions
Researchers from Cleafy have uncovered a new malware-as-a-service (MaaS) called SuperCard X, designed to target Android devices with NFC relay attacks, enabling fraudulent POS and ATM transactions using stolen card data.
SuperCard X is promoted through Telegram channels, with malware builds often stripped of links to avoid detection and attribution. An investigation of the campaign in Italy revealed region-specific custom builds of the malware.
The attack uses NFC-relay techniques to intercept and relay card data during POS and ATM transactions. The malware is spread via social engineering, convincing victims to tap their cards on infected phones. The researchers connected the campaign to the Chinese-speaking SuperCard X platform, noting it shares code with the NGate malware.
The fraud scheme begins with fake bank alerts through SMS or WhatsApp, luring victims into phone calls with attackers. During these calls, attackers use social engineering to obtain card PINs, manipulate card settings, and guide victims into installing the malicious SuperCard X app. Once installed, the malware captures NFC data from the victim’s card, relays it to the attacker’s device, and facilitates fraudulent transactions.
SuperCard X operates with two apps: “Reader” (on victim devices) to capture NFC data and “Tapper” (on attacker devices) to relay the data. These apps are linked to a shared server, enabling real-time data relay for fraud. The malware maintains a low detection rate due to its minimal permissions and focused NFC functionality.
In a bid to evade detection, attackers have removed Telegram links and disabled the "Register" button, pre-creating accounts for victims. With its subtle appearance and low fingerprint profile, SuperCard X presents a novel fraud mechanism using NFC for instant cash-outs, bypassing traditional fraud channels.
This new malware highlights a shift in fraud tactics, leveraging NFC technology to instantly access stolen funds with minimal suspicion.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
