A sophisticated Android malware campaign dubbed SuperCard X has emerged, posing a significant threat to financial institutions and cardholders worldwide. This malicious software uses an advanced Near-Field Communication (NFC) relay technique, allowing attackers to authorise fraudulent Point-of-Sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices.
How SuperCard X Works
Unlike traditional banking trojans that steal login credentials, SuperCard X targets the physical communication between payment cards and terminals. The malware combines social engineering with smart technology to connect a victim’s card to an attacker’s device—no matter how far apart they are. This makes it harder for financial institutions to detect.
The attack typically unfolds as follows:
- Initial Contact: Victims get fake messages (via SMS or WhatsApp) pretending to be from their bank about suspicious activity.
- Social Engineering: When victims call the number, they speak to scammers who convince them to take certain steps.
- App Installation: Victims are tricked into installing a malicious “Reader” app on their Android phones.
- Data Capture: Victims are told to tap their card to their phone. The malware then relays this data to the attacker.
- Fraudulent Transactions: The attacker uses a device to mimic the card and make unauthorised purchases or withdrawals elsewhere.
Technical Details
The SuperCard X malware has two parts:
- Reader App: Installed on the victim’s phone to capture NFC data.
- Tapper App: Used by the attacker to receive the data and emulate the card.
Both apps communicate using HTTP and rely on a command-and-control server. They require special tokens to work properly, suggesting a structured Malware-as-a-Service setup.
Where It Came From
The malware is believed to come from Chinese-speaking hackers. It shares similarities with an open-source project called NFCGate and another malware called NGate. SuperCard X stands out because it focuses solely on the NFC relay technique, making it smaller and harder to detect.
Why It’s Dangerous
SuperCard X doesn’t rely on logging into online banking. Instead, it goes after the actual payment process. It can be used on any card—not just ones from a specific bank—and allows attackers to move money fast, with little time for users to react.
How to Protect Yourself
- Be skeptical: Don’t trust unexpected messages about bank activity.
- Verify directly: Contact your bank using official contact info, not links in messages.
- Avoid unknown apps: Don’t install apps from unknown sources or based on random instructions.
- Watch your accounts: Check your bank statements regularly for strange activity.
Staying alert and cautious is the best defense against malware attacks and online fraud.
