SuperCard X Enables Contactless ATM Fraud in Real-Time
A sophisticated mobile malware campaign using a new NFC-relay technique to steal payment card data has been uncovered by security researchers.
Named “SuperCard X,” the Android malware operates under a Malware-as-a-Service (MaaS) model and enables fraudsters to carry out unauthorized transactions through Point-of-Sale (POS) systems and ATMs.
A New Era of Mobile Malware
Unlike conventional banking Trojans, SuperCard X targets contactless card features by exploiting Near-Field Communication (NFC) protocols.
According to the Cleafy Threat Intelligence team who discovered the threat, victims are deceived through smishing campaigns and phone calls into installing a malicious app disguised as a security tool.
Once installed, the malware silently captures NFC data when a card is tapped on the compromised device.
What makes this campaign particularly dangerous is its multi-stage approach, comprising:
- Social engineering via smishing and phone calls
- PIN elicitation and card limit removal
- Malicious app installation
- Real-time NFC data interception
- Instant fraudulent cash-outs
Low Detection, High Impact Malware
The SuperCard X malware remains largely undetected by antivirus software, partly due to its minimal permission requests and focused design. In fact, unlike broader malware families, it avoids suspicious behaviors, requesting only NFC-related permissions and hiding under benign app icons.
The attack execution is quick. Once a victim’s card data is captured, it’s transmitted in real-time to a second device controlled by the attacker, which then emulates the card for immediate withdrawals or purchases.
This bypasses traditional fraud detection systems that rely on transaction delays.
MaaS Distribution Raises Global Risk
Promoted on Chinese-language platforms, SuperCard X allows multiple affiliates to customize the malware for regional operations.
The campaign currently targets Italy, but the MaaS model suggests potential for global spread.
The malware architecture includes two applications:
- “Reader,” which collects NFC data from victims
- “Tapper,” used by fraudsters to emulate the stolen card
Communication between the two is secured via mutual TLS, ensuring encrypted and authenticated relay of stolen data.
“While this type of attack relies on relatively simple social engineering techniques, it proves to be highly effective – both in terms of success rate and cashout efficiency,” Cleafy warned.
“Using multiple attack vectors within the same fraud campaign adds another layer of complexity. This multichannel approach poses additional challenges for monitoring efforts and highlights the growing need for real-time detection capabilities.”
