HQ/EMEAFind out how we can help your business
A new malware-as-a-service (MaaS) platform, ‘SuperCard X’, has surfaced, targeting Android devices through NFC relay attacks that enable transactions at point-of-sale and ATMs using stolen payment card information.
SuperCard X is associated with Chinese-speaking threat actors and shares code similarities with the open-source project NFCGate and its malicious derivative, NGate, which has been implicated in attacks across Europe since last year.
This MaaS platform is advertised on Telegram channels that provide direct support for “customers.”
Researchers initially discovered that threat actors utilise the SuperCard X malware in Italy. These incidents involved multiple samples with slight variations, suggesting that affiliates can access custom builds tailored to specific regions or needs.
SuperCard X executes its attacks through fraudulent messages.
According to investigations, the SuperCard X malware attack commences with the victim receiving a fraudulent SMS or WhatsApp message that impersonates their bank, instructing them to call a number to address alleged issues related to a suspicious transaction.
A scammer answers the call, masquerading as bank support. Utilising social engineering tactics, the scammer tricks the victim into “verifying” their card number and PIN. The scammer then persuades victims to remove spending limits through their banking applications.
Eventually, the threat actors deceive users into installing a malicious app disguised as a security or verification tool that contains the SuperCard X malware.
Once installed, the Reader app requests minimal permissions, primarily access to the NFC module used for data theft. The scammer instructs the victim to tap their payment card against their phone to verify their card, allowing the malware to extract the card chip data and send it to the attackers.
The attackers receive this information on their Android device, utilising another app called Tapper. This app emulates the victim’s card using the stolen data.
Despite transaction limits, these ’emulated’ cards permit attackers to execute contactless payments at retail locations and ATM withdrawals. Since these small transactions are instant and appear authentic to banks, they are more challenging to identify and counteract.
SuperCard X goes undetected by AV engines on VirusTotal. Its lack of risky permission requests and aggressive attack features like screen overlaying help it evade heuristic scans, making it a low-key malware campaign.
