New Android Warning — This TOAD Malware Attack Steals Cash From ATMs

A recent report from threat intelligence experts has uncovered a sophisticated new malware campaign called SuperCard X, which can intercept and relay near field communication messages from compromised devices to facilitate fraudulent ATM cash withdrawals. The attack, dubbed "TOAD" ( Telephone-Oriented Attack Delivery), uses a combination of social engineering tactics and Android malware to steal cash from ATMs.

According to Federico Valentini‍, Alessandro Strino, and Michele Roviello, the fraud detection platform Cleafy, the SuperCard X campaign involves sending phishing messages to victims via SMS or WhatsApp, which appear to be bank security alerts. The messages create a sense of urgency and prompt the victim to call a support telephone number.

"The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards," the researchers said in their report. "This attack has demonstrated high success rates when targeting contactless ATM withdrawals."

The attack execution begins with social engineering tactics, where phishing messages are sent to victims to create a sense of urgency and prompt them to call a support telephone number. However, it is the Telephone-Oriented Attack Delivery (TOAD) component that makes this attack particularly sinister.

"The clever bit," said Randolph Barr, chief information security officer at Cequence, "is that those card details are relayed in real-time to a second, attacker-controlled Android phone, used to make the contactless ATM withdrawals."

This means that once the victim falls for the social engineering tactic and calls the support telephone number, their personal and payment information is transmitted to an attacker-controlled device. This allows the attackers to then use this information to make unauthorized transactions at ATMs.

"This attack highlights the importance of understanding what an app does before installing or sideloading it," Barr said. "There are ways to recognize and prevent TOAD-style attacks."

"Validating the legitimacy of any such request before acting on it is a great starting point," he advised. Google Play offers protections against malicious apps, which can be used rather than introducing the risk of sideloading applications from other sources.

Protecting Yourself From TOAD Attacks

If you're concerned about falling victim to this type of attack, there are several steps you can take:

  • Be cautious when receiving unsolicited phone calls or messages that ask for personal or payment information.
  • Only install apps from trusted sources, such as Google Play.
  • Validate the legitimacy of any request before acting on it.
  • Keep your Android device and its operating system up to date with the latest security patches.

"Based on our current detection, no apps containing this malware are found on Google Play," a Google spokesperson confirmed. "Android users are automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services."

Conclusion

The SuperCard X TOAD attack is a sobering reminder of the importance of staying vigilant when it comes to online security and personal data protection. By understanding how these attacks work and taking steps to protect yourself, you can reduce your risk of falling victim to this type of malicious campaign.