SuperCard X is the latest addition to the malware-as-a-service (MaaS) platform, a platform where hackers offer ready-to-use tools for a fee. This new threat targets Android smartphones using NFC to make payments or withdraw money using stolen banking data.
A well-established operation sold online
According to the cybersecurity firm Cleafy, which identified the malware's activity in Italy, SuperCard X is promoted on Telegram channels, with a customer service department for buyers. The software appears to be directly inspired by open-source tools like NFCGate and its malicious variant NGate, which was already used in Europe last year.
The modus operandi is particularly well-established. It all starts with the sending of an SMS or WhatsApp message, supposedly from the recipient's bank. By calling the number provided, the victim reaches a fake advisor who, using psychological manipulation techniques, forces them to disclose their card number and PIN. The scammers then encourage the target to remove the spending limits from their banking app.
The final step: convince the victim to install a booby-trapped app, called "Reader," supposedly to check the security of their account. This requires few permissions—mainly access to the NFC module—and therefore easily slips under the radar.
Once installed, the malicious app prompts the victim to swipe their bank card against their phone for “verification.” In reality, the app extracts data from the chip and transmits it to the criminals. They retrieve it on another Android device equipped with a second app, “Tapper,” which emulates a bank card.
Using this process, attackers can make contactless payments in stores or withdraw money from ATMs, within the imposed limits. Because these transactions are fast and appear legitimate, they are difficult for banks to detect.
Cleafy points out that SuperCard X currently remains invisible to antivirus programs, including VirusTotal. Its discretion is reinforced by the absence of suspicious authorizations and the use of mTLS (mutual TLS) secure communication, complicating the interception of exchanges between infected devices and control servers.
Asked about this case, Google assured that "no application containing this malware has been detected on Google Play" and reiterated that its Play Protect system protects Android users by default, even when installing external applications.
0 Comments