A new malware-as-a-service (MaaS) platform called SuperCard X has surfaced, targeting Android devices using NFC relay attacks. This threat enables attackers to perform unauthorized point-of-sale and ATM transactions using stolen payment card information.
The malware has been linked to Chinese-speaking cybercriminals and bears similarities to previous open-source projects like NFCGate and its malicious offshoot, NGate, which have previously been used for attacks in Europe. SuperCard X is being promoted and supported through Telegram channels, suggesting a well-organized criminal infrastructure.
Customizable Malware Spreads Through Social Engineering and Regionalized Attacks Across Android Devices Globally
The Android malware was discovered by security firm Cleafy, which detected SuperCard X in real-world attacks in Italy. The observed malware samples showed slight variations, indicating that attackers or affiliates can request tailored versions of the malware to suit specific regions or requirements.
This customization suggests a flexible service model typical of advanced MaaS operations. The malware’s distribution through social platforms and its capacity for localization make it a significant threat with the potential for global expansion.
SuperCard X Malware Exploits NFC to Steal Card Data in Sophisticated Android AttacksSuperCard X attacks begin with deceptive SMS or WhatsApp messages impersonating a bank, leading victims to a phone call with a scammer posing as customer support. The victim is tricked into providing card details and encouraged to install a fake security app named “Reader.”
This app, containing the malware, requests minimal permissions—mainly NFC access—which helps it remain undetected while still capturing card data. Victims are then asked to tap their payment cards against their phone, allowing the malware to extract and transmit chip data to the attackers.
Advanced Card Emulation and Stealth Techniques Make SuperCard X Extremely Hard to Detect
The stolen card data is received by the attackers on a separate Android device running a second app called “Tapper.” This app emulates the stolen card using ATR-based (Answer to Reset) responses, making transactions appear genuine to contactless payment terminals and ATMs.
Although the amounts are usually low to avoid detection, these payments are processed quickly and are difficult for banks to identify as fraudulent. This seamless emulation demonstrates a high level of technical skill in manipulating smartcard protocols.
Cleafy reports that SuperCard X currently evades detection by antivirus engines and does not use aggressive permissions or overlays, helping it bypass heuristic-based scans. Its use of mutual TLS (mTLS) further protects its command-and-control communications from interception.
Google has responded by stating that no apps with SuperCard X have been found on the Play Store and emphasized that Google Play Protect offers built-in protection, even against threats originating from outside of the Play ecosystem. Despite this, users remain at risk from sideloaded apps and social engineering tactics used by attackers.
