Security researchers have uncovered a new sophisticated mobile malware campaign, known as “SuperCard X,” that utilizes a new NFC-relay technique to steal payment card data. This Android malware, operating under a Malware-as-a-Service (MaaS) model, allows fraudsters to conduct unauthorized transactions through Point-of-Sale (POS) systems and ATMs.
Unlike traditional banking Trojans, SuperCard X focuses on exploiting contactless card features by targeting Near-Field Communication (NFC) protocols. The Cleafy Threat Intelligence team, who identified this threat, explained that victims are tricked through smishing campaigns and phone calls to download a malicious app disguised as a security tool. Once installed, the malware discreetly captures NFC data when a card is tapped on the compromised device.
A unique aspect of this campaign is its multi-stage approach, involving social engineering through smishing and phone calls, PIN elicitation and card limit removal, malicious app installation, real-time NFC data interception, and instant fraudulent cash-outs. This makes SuperCard X particularly dangerous and effective in carrying out financial fraud.
The SuperCard X malware evades detection by antivirus software due to its minimal permission requests and targeted design. It does not exhibit suspicious behaviors commonly associated with malware, only requesting NFC-related permissions and concealing itself under innocent-looking app icons. The speed at which the attack is executed is also a significant factor, as stolen card data is immediately transmitted to a second device controlled by the attacker for swift withdrawals or purchases, bypassing traditional fraud detection methods that rely on transaction delays.
The distribution of SuperCard X is facilitated through Chinese-language platforms, allowing multiple affiliates to customize the malware for specific regional operations. While the current target is Italy, the MaaS model indicates the potential for global dissemination of this threat. The architecture of the malware includes two applications – “Reader” for collecting NFC data from victims and “Tapper” for emulating the stolen card by fraudsters. Communication between these applications is secured through mutual TLS, ensuring encrypted and authenticated relay of stolen data.
Cleafy cautioned that despite the relatively simple social engineering techniques employed by this attack, it is highly effective in terms of success rate and cashout efficiency. The use of multiple attack vectors within the same fraud campaign adds complexity and challenges for monitoring efforts, emphasizing the need for real-time detection capabilities in combating such threats.
In conclusion, the emergence of SuperCard X represents a new era of mobile malware that targets NFC technology for financial fraud, posing significant risks to individuals and institutions. The multi-stage approach, low detection rate, and global distribution potential make it a formidable threat that necessitates proactive security measures and vigilance from users and organizations alike.