New Sophisticate Malware SuperCard X Targets Androids via NFC Relay Attacks
A new, highly sophisticated malware campaign has been uncovered by researchers at Cleafy, targeting Android devices with a novel technique involving Near Field Communication (NFC) relay attacks. The malware-as-a-service (MaaS) platform, dubbed "SuperCard X," enables attackers to hijack Point of Sale (POS) and ATM transactions by relaying intercepted card data.
The campaign, which has been observed in Italy, uses an NFC-relay technique to capture and relay stolen card data. Attackers promote the MaaS through Telegram channels, but analysis shows that many of these links have been removed, likely to hide affiliate ties and hinder attribution. This suggests that the attackers are taking steps to evade detection and avoid being tracked.
Once a victim taps their infected phone on a POS or ATM terminal, the malware captures NFC card data and relays it to an attacker-controlled device. The malware is delivered via social engineering tactics, such as fake bank alerts sent via SMS or WhatsApp, which trick victims into installing a malicious app that hides the SuperCard X malware.
Once installed, the malware captures NFC card data when the victim taps their card, relays it to an attacker-controlled device, and enables fraudulent POS or ATM transactions. Attackers use this technique to exploit the victim's potential anxiety regarding the fraudulent transaction, guiding them through a series of steps that ultimately allow the attackers to gain access to sensitive banking information.
According to researchers, once the attackers have gained the victim's trust and potentially their banking app access, they instruct the victim to remove any existing spending limits on their debit or credit card. This crucial step maximizes the potential for fraudulent cash-out. The attackers then persuade the victim to install a seemingly innocuous application that hides the SuperCard X malware.
The SuperCard X malware uses a modular setup with two apps: "Reader" (blue icon) is deployed on victim devices to capture NFC card data, while the "Tapper" (green icon) runs on attacker-controlled devices to relay and misuse the stolen data. The "Reader" and "Tapper" are linked via a shared C2 server over HTTP, allowing affiliates to authenticate through login credentials.
One of the most striking features of this malware is its low detection rate among antivirus solutions. This is due to its minimal permission model and narrow focus on NFC relay attacks. Unlike complex banking trojans, which often request more extensive permissions, SuperCard X requests only essential permissions like android.permission.NFC.
This allows the malware to appear harmless while enabling effective fraud. The attackers have also taken steps to reduce suspicion and hinder detection or attribution by removing Telegram links and the "Register" button, as well as using benign-looking icons and names for their malicious apps.
"This new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC," concludes the report. "This process allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers."
Another noteworthy aspect of this malware is its low fingerprinting profile. This means that it is difficult to track or identify the source of the attacks, making it a significant challenge for law enforcement and cybersecurity professionals.