Card Not Present Fraud
,
Endpoint Security
,
Fraud Management & Cybercrime
Attack Combines Social Engineering and Card Emulation to Execute Real-Time Theft
Hackers are using Chinese-speaking Android malware-as-a-service SuperCard X to carry out near-field communication relay attacks, siphoning payment card data and executing live point of sale and ATM transactions.
See Also: The Evolution of Ransomware (Portuguese Language)
Unlike traditional banking Trojans that rely on overlay attacks or SMS interception, SuperCard X uses the contactless features of modern payment cards to facilitate real-time cash outs, effectively turning any infected Android handset into an NFC relay station, said mobile security firm Cleafy.
SuperCard X affiliates acquire customized “Reader” and “Tapper” applications through Telegram channels, granting low-effort access to advanced NFC relay fraud without building their own tooling.
The fraud begins when victims receive spoofed SMS or WhatsApp alerts purporting to originate from their bank, warning of a suspicious transaction and urging them to call a provided number. During the ensuing telephone-oriented attack delivery, scammers pose as bank support agents, coaxing cardholders into “verifying” their credentials and walking them through banking app settings to disable spending limits. The operators then send a link to the victims to install the SuperCard X Reader app, masked as a security utility.
Once deployed, Reader requests minimal NFC permissions alongside standard system permissions, a strategic minimalism that evades heuristic and signature-based detection on platforms like VirusTotal. Cleafy’s analysis showed extensive code reuse from the open-source NFCGate toolkit and its malicious fork NGate – first cited by Eset last year – suggesting the campaign used publicly available relay frameworks to accelerate development and onboarding of new affiliates.
When instructed to “tap” their debit or credit card against the infected device, victims unknowingly trigger the silent capture of NFC-transmitted smart card data, including Answer To Reset messages. The harvested data is packaged and sent in real-time over an HTTP-based command-and-control infrastructure fortified with mutual TLS, ensuring only client instances bearing valid certificates can exchange frames and thwarting unauthorized interception.
Across the operator’s infrastructure, the Tapper application resides on a separate Android device under attacker control. It uses the relayed ATRs to emulate the victim’s card in Host Based Card Emulation mode, effectively presenting “virtual cards” at PoS terminals or contactless ATM interfaces. These emulated NFC transactions process as genuine contactless payments or withdrawals after the attackers have had victims disable their card’s spending limits, maximizing withdrawal amounts.
SuperCard X distinguishes itself from conventional Android banking Trojans by omitting complex features such as screen overlays, SMS interception or remote desktop controls. It instead focuses on an NFC relay and streamlined permission model, granting it a low fingerprinting profile and allowing it to remain undetected by the vast majority of antivirus engines and behavioral monitors.
Cleafy uncovered several affiliate-specific customizations in the Italian campaign, including tailored APK repackaging that strips registration UIs and Telegram channel references, replacing them with innocuous icons and names. Fraudsters pre-generate login credentials and transmit them to victims during the telephone-oriented attack delivery phase, sidestepping in-app sign-up flows and minimizing UI artifacts that might alert suspicious users or defenders.