Ethical Hacking News
The SuperCard X Android malware has emerged as a significant threat to contactless payments, enabling cybercriminals to conduct fraudulent cashouts through NFC relay attacks. This highly sophisticated malware-as-a-service (MaaS) platform combines social engineering tactics with malicious application installation and NFC data interception to achieve its objectives.
The SuperCard X Android malware is a highly sophisticated MaaS platform that enables near-field communication (NFC) relay attacks.The malware is actively targeting customers of banking institutions and card issuers in Italy, aiming to compromise payment card data.The threat actors use a multi-stage approach combining social engineering tactics with malicious application installation and NFC data interception.The malware relies on three bogus apps to dupe victims into installing them via deceptive SMS or WhatsApp messages.The infection chain involves Telephone-Oriented Attack Delivery (TOAD), where victims are manipulated into installing security software through direct phone conversations.The malware uses a previously undocumented NFC relay technique to intercept and relay NFC communications, enabling fraudulent point-of-sale payments and ATM withdrawals.A custom-built Tapper app receives stolen card information and communicates with a Reader app using HTTP for command-and-control purposes.
The recent emergence of the SuperCard X Android malware has sent shockwaves through the cybersecurity community, highlighting a novel threat to contactless payments and exposing the vulnerabilities of mobile security. According to recent reports, this highly sophisticated malware-as-a-service (MaaS) platform enables near-field communication (NFC) relay attacks, allowing cybercriminals to conduct fraudulent cashouts with ease.
The malicious software is actively targeting customers of banking institutions and card issuers in Italy, with the aim of compromising payment card data. The threat actors are employing a multi-stage approach that combines social engineering tactics, such as smishing and phone calls, with malicious application installation and NFC data interception to achieve their objectives.
To execute this nefarious plan, SuperCard X relies on three different bogus apps that dupe victims into installing them via deceptive SMS or WhatsApp messages. These apps are designed to impersonate bank security alerts, inducing a false sense of urgency in the recipients by urging them to call a specific number to dispute the transaction.
Upon installation, the infection chain moves to what's called a Telephone-Oriented Attack Delivery (TOAD), where the threat actors manipulate victims into installing the app under the guise of security software through direct phone conversations. The attackers also employ persuasive tactics to glean victims' PINs and instruct them to remove any existing card limits, thereby allowing them to drain the funds easily.
The core of the operation is a previously undocumented NFC relay technique that enables threat actors to fraudulently authorize point-of-sale (PoS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from infected devices. This technique allows the SuperCard X malware to stealthily capture the transmitted card details and relay them to an external server, where they are utilized to conduct unauthorized transactions.
A similar app known as Tapper is installed on the threat actor's device to receive the card information, which communicates with a Reader app using HTTP for command-and-control (C2) purposes. The cybercriminals create an account within the SuperCard X platform before distributing the malicious apps, after which the victims are instructed to enter the login credentials provided to them during the phone call.
This step serves as a key cog in the overall attack as it establishes the link between the victim's infected device and the threat actor's Tapper instance, which then enables the card data to be relayed for subsequent cash outs. The Tapper app is also designed to emulate the victim's card using the stolen data, thus fooling PoS terminals and ATMs into recognizing it as a legitimate card.
The "Reader" malware artifacts identified by Cleafy carry subtle differences in the login screen, indicating that they are custom builds generated by affiliate actors to tailor the campaigns according to their needs. In addition, SuperCard X makes use of mutual TLS (mTLS) to secure communication with its C2 infrastructure.
In response to this emerging threat, Google is said to be working on a new Android feature that effectively blocks users from installing apps from unknown sources and granting permissions to accessibility services. Users are advised to scrutinize app descriptions, permissions, and reviews before downloading them and keep Google Play Protect enabled to safeguard their devices against emerging threats.
The novel campaign introduced by SuperCard X introduces a significant financial risk that extends beyond the conventional targets of banking institutions to affect payment providers and credit card issuers directly. The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards, demonstrating high efficacy, especially when targeting contactless ATM withdrawals.
Related Information:
https://www.ethicalhackingnews.com/articles/The-SuperCard-X-Android-Malware-A-Novel-Threat-to-Contactless-Payments-ehn.shtml
https://thehackernews.com/2025/04/supercard-x-android-malware-enables.html
https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/
Published: Mon Apr 21 11:11:56 2025 by llama3.2 3B Q4_K_M
