New Android malware that copies NFC cards

  • SuperCard X is an advanced Android malware that exploits NFC technology to steal bank card data.
  • It is distributed using sophisticated social engineering techniques, involving messages and calls that impersonate banking entities.
  • It allows cybercriminals to make contactless payments and withdraw money from ATMs with cloned cards.
Joaquin Romero

9 minutes

SuperCard

In recent months, the cybersecurity world has been on edge following the emergence of a sophisticated new malware called SuperCard X. This threat has generated a stir in the tech community for its ability to steal credit and debit cards directly from Android devices using NFC technology. If you own an Android phone and use contactless payments, this article is essential to understanding how this threat works, how it spreads, and, most importantly, how to protect yourself.

SuperCard X isn't just another malware in the long list of mobile threats; its danger lies in the way it involves social engineering, the technical exploitation of near-field communication (NFC), and its virtual invisibility to most antivirus systems. Let's break down, point by point, all the details revealed to date about this dangerous tool so you don't get caught off guard.

What is SuperCard X and how does it steal banking data?

SuperCard Malware-as-a-Service (MaaS) which is specifically targeted at Android devices. Its core objective is intercept and retransmit NFC communications from contactless bank cards, thus achieving steal sensitive data and enable fraudulent purchases or cash withdrawals, even without needing to have the physical card or know the PIN in many cases.

How to share your phone number with another Android using QR codes or NFC
Related article:
How to share your phone number on Android using QR codes and NFC: The ultimate guide

SuperCard X's operation is remarkably sophisticated. It tricks victims into installing a seemingly legitimate app (usually called Reader), requesting only basic access permissions to the phone's NFC module. This way, the malware remains virtually invisible to the user and antivirus software.

Once the victim installs the app and taps their payment card on their phone, the malware reads all the contactless card data and transmits it in real time to the attackers. Attackers, from anywhere in the world, can use another app called Tapper on an Android device to emulate the card and perform contactless transactions or ATM withdrawals.

Social engineering: the key that opens the door

SuperCard X NFC malware

The technical side of SuperCard X is only half the equation. The other half has to do with the intensive use of social engineering techniques., where malicious individuals pose as banks or financial services operators to deceive users.

  • The attack usually begins with a fraudulent SMS or WhatsApp message. which, pretending to be a communication from your bank, reports a suspicious transaction or a problem with your account.
  • The message invites you to call a phone number with the promise of immediate assistance and resolution of the alleged incident.
  • During the call, The scammer poses as a bank support agent, requesting information such as your card number, PIN, and, in many cases, telling you to remove your spending limit from the official banking app.
  • Lastly, It asks you to install a supposed verification or security app—Reader—which, in reality, is the vehicle of the malware.

The level of personalization and persuasion employed in these calls is considerable, making it difficult for even experienced users to fall into the trap, especially under pressure or in stressful situations.

How SuperCard X exploits NFC technology

NFC (Near Field Communication) is a short-range technology found in most modern mobile phones, used to facilitate contactless payments and fast transfers between devices. SuperCard X exploits this functionality by intercepting communication between the card and the phone's NFC reader, something that was previously considered quite secure.

The relay attack is possible because the fraudulent app requests access to the NFC module, a permission that doesn't usually arouse suspicion since payment apps or card readers also request it. However, In the hands of malware, this permission allows all the card information to be read when it is brought close to the mobile phone..

In a matter of seconds, The captured data is sent in real time to a command and control (C&C) infrastructure under the control of criminals, using encrypted connections using secure protocols such as HTTP with TLS or mutual TLS (mTLS), to prevent them from being intercepted by law enforcement or investigators.

From data capture to fraud in stores and at cashiers

Once the attackers have the card details, they use their own app, T, on another Android device. Tapper is able to digitally emulate the victim's card using the stolen information.. Thus, the criminal simply Bring your phone close to an NFC-compatible payment terminal or ATM and executes the transaction, as if you had the original card in your hand.

This process is especially dangerous because Many terminals only request the PIN from certain amounts, and attackers often make multiple small transactions to remain undetected. Furthermore, emulation relies on the protocol ATR (Answer to Reset), that makes payment terminals detect the fake card as legitimate, increasing the effectiveness of fraud and making it difficult for banks and anti-fraud systems to detect it.

Why is it so difficult to detect SuperCard X?

One of the most alarming aspects of SuperCard X is its Very low detection rate by antivirus and mobile security solutions. According to the Cleafy research team and multiple specialized media, SuperCard X is not detected by more than 60 antivirus engines on VirusTotal and the main reason is its non-intrusive behavior.

  • It does not request access permissions to SMS, calls or location.
  • Avoid aggressive techniques such as screen overlay.
  • It only asks for access to NFC, which is common in legitimate apps.
  • It uses encrypted communication and authentication with digital certificates, making it invisible even to forensic analysis tools.

This minimalist design is focused on a single objective: Steal and retransmit NFC data from bank cards as discreetly and quickly as possible, without raising suspicions or alerts on the device.

Who is affected by SuperCard X and what is its scope?

Although the first reports from Cleafy and Spanish media mention Italy as the main affected country, SuperCard X has a global reach due to selling as a service (MaaS) on underground forums, especially Chinese-speaking ones.. Customers of this malware do not need technical knowledge; They simply pay a subscription and receive the software, instructions, and support through channels like Telegram..

This implies that Fraud is not limited to large criminal organizationsAny criminal with access to these forums can launch attacks in other countries, including Spain and Latin America, where contactless payments are widely used. Financial institutions and physical stores are also at risk., since fraudulent movements are usually small and therefore difficult to detect immediately.

Similarities with NGate and other NFC malware

Notably SuperCard X has similarities with NGate, a malware that had already wreaked havoc in Europe the previous year. Both employ NFC relay techniques and are capable of bypassing traditional barriers set by banks and anti-fraud systems. The existence of multiple customizable variants SuperCard X also suggests constant evolution, aimed at circumventing new security measures that banks may implement.

The MaaS business model allows malware developers to offer variants tailored to different regions or specific needs of their customers., further complicating the coordinated response of law enforcement and digital security solution manufacturers.

Distribution channels and support for cybercriminals

SuperCard X is not only distributed through phishing and SMS campaigns, but is also promoted on Telegram channels dedicated to cybercrimeThey even offer "technical" support for criminals who subscribe to the service, further simplifying the launch of new malicious campaigns.

The fact that developers provide support and allow on-demand customization shows a Growing and worrying professionalization in cybercrime linked to digital financial fraud.

How can you protect yourself from SuperCard X?

Given the level of sophistication of the attack, Protecting yourself requires a combination of caution, skepticism of unexpected messages, and good digital practices.Here are some key recommendations, drawn from expert advice and the latest reports:

nfc technology
Related article:
NFC on mobile phones: what it is, how it works, its uses, and its maximum utility
    • Never install applications outside of official stores like the Google Play Store.Malicious apps disguised as “card readers” or “security checkers” often come from direct links or unverified repositories.
    • Be wary of any message, SMS or WhatsApp, that urges you to call a number to avoid banking problems.Banks don't typically ask for personal information through unofficial channels or require you to install third-party apps.
    • Do not hold your bank card to your phone if an unrecognized app asks you to. or you receive instructions by phone to do so.
    • Check your bank account transactions frequently. and contact your bank for any suspicious transaction, even if it is a small amount.
    • Keep your mobile software up to date and use updated security solutions., although in this case they may not detect all types of malware.
    • Avoid accepting unnecessary permissions in applications, especially if you are not clear about what they are for.

Why SuperCard X is a threat that's here to stay

The emergence of SuperCard X marks a before and after in the digital banking fraud landscape. Not only does it show how NFC technology can be exploited for criminal purposes, but it also exposes the weaknesses of traditional security systems., both at the level of users and financial institutions.

Furthermore, The fact that anyone can now access these types of tools thanks to the MaaS model and the proliferation of clandestine channels on Telegram and Chinese forums It democratizes access to cybercrime, multiplying the risks for all users of digital banking and contactless payments.

The rise of threats like SuperCard X demonstrates the urgent need for increased digital education, collaboration between banks, technology companies, and users, and the development of new security solutions capable of anticipating the evolution of cybercrime. Staying well-informed and acting skeptically toward any unusual requests is, today, the best defense we have against this type of threat. Share this guide so more people know about this threat..


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.