145/68 Monday, April 21, 2025
Cybersecurity firm Cleafy has uncovered a new threat dubbed “SuperCard X”, a Malware-as-a-Service (MaaS) tool targeting Android devices through NFC relay attacks. The malware is designed to steal credit card data and use it for fraudulent transactions at ATMs or point-of-sale (POS) terminals. The campaign has ties to Chinese-speaking threat actors and includes code similarities with the open-source NFCGate project as well as the NGate malware, which was active in Europe last year. The platform is promoted on Telegram and offers full-service features to customers, with tailored malware samples targeting specific regions—Italy being one confirmed case.
The attack chain begins with phishing SMS or WhatsApp messages, posing as alerts from banks regarding suspicious activity. Victims are tricked into calling a fake bank representative who persuades them to confirm their card number and PIN. They are then instructed to install a fake app called “Reader”, which is actually embedded with the SuperCard X malware. Once installed, the victim is asked to tap their card on the phone to “verify identity.” This action reads the card’s NFC chip and transmits the data to the attacker. The attacker then uses another app called “Tapper” on a different Android device to emulate the victim’s card for use in real-world transactions or withdrawals.
SuperCard X is particularly stealthy. It avoids requesting suspicious permissions, and does not use aggressive techniques like overlay attacks, helping it evade detection by antivirus software. The malware simulates card responses using ATR (Answer to Reset) data, making cloned cards appear legitimate. It also employs mutual TLS (mTLS) to encrypt communication between infected devices and command-and-control (C2) servers, effectively blocking investigators from analyzing traffic. According to Google, there is currently no evidence that apps infected with SuperCard X are present on the Play Store, and users with Google Play Protect enabled are automatically shielded from such threats.
