SuperCard X Mobile Malware: How a New Android Threat Is Hijacking Contactless Payments

A newly discovered mobile malware platform known as SuperCard X is redefining the way cybercriminals exploit smartphones, posing a fresh challenge for banks, card issuers, and users alike. Unlike traditional banking trojans or phishing scams, this malware introduces a more advanced, subtle, and coordinated method of attack: near-field communication (NFC) relay manipulation.

Developed by a Chinese-speaking threat group, SuperCard X is categorized as a malware-as-a-service (MaaS) offering. In short, it's a cybercrime toolkit for hire. By leveraging NFC capabilities in Android smartphones, the malware enables attackers to capture card data and conduct fraudulent transactions—without physical access to the victim's card.

How the Scam Starts: Social Engineering at Its Core

The attack begins with a convincing social engineering campaign. Victims are sent deceptive messages—often via SMS or WhatsApp—claiming to be from their bank. These messages warn of suspicious activity and prompt recipients to call a specific number. The urgency and appearance of legitimacy push many to act without verifying the message's source.

What follows is a method known as Telephone-Oriented Attack Delivery (TOAD). On the call, scammers impersonate bank representatives and instruct the victim to install what they claim is a security app. In reality, it's one of several disguised versions of the SuperCard X malware, such as "Verifica Carta," "SuperCard X," or "KingCard NFC."

Once installed, the app requests sensitive permissions and establishes a link with the attacker's system. Victims are sometimes persuaded to reveal their PINs or remove daily account limits, which makes fraud much easier.

NFC: The New Frontier for Financial Fraud

The centerpiece of SuperCard X's capability is its novel use of NFC relay techniques. The attackers convince victims to physically place their credit or debit cards near their infected phones. The malware then silently reads the NFC data transmitted by the card and forwards it to an external server in real-time.

On the attacker's side, a companion app—nicknamed "Tapper"—emulates the card using the stolen information. The criminal can then use this virtual clone to withdraw cash at ATMs or pay at contactless terminals as if they were the legitimate cardholder.

This method is particularly effective for contactless ATMs and PoS systems, which rely on NFC data for authentication but cannot easily detect that the card has been cloned remotely.

The Infrastructure Behind the Scenes

SuperCard X is not just one app—it's an entire fraud ecosystem. Before distributing the malware, cybercriminals must create an account on the platform. Each instance of the malware is linked to this account, enabling communication between the infected user device (Reader) and the criminal's device (Tapper).

Interestingly, every Reader app appears to be customized for specific campaigns, with slight variations in their login interfaces. This suggests affiliate threat actors are tailoring the apps to target different regions or institutions.

Communication between devices is encrypted using mutual TLS (mTLS), a step up from the usual encryption standards seen in mobile malware. This added layer helps attackers stay under the radar by protecting their command-and-control (C2) traffic.

The Wider Implications

What makes SuperCard X particularly concerning isn't just its technical ingenuity but its implications for the broader financial ecosystem. By bypassing traditional online authentication and going straight for contactless infrastructure, it opens up a relatively unguarded attack surface.

Although this campaign has so far been focused on Italy, the underlying techniques could easily spread to other countries. Payment providers, financial institutions, and mobile OS developers are all potential stakeholders in the fight to contain this threat.

In response, Google is reportedly working on new Android features to mitigate such risks. These include restrictions on installing apps from unknown sources or granting sensitive permissions like accessibility access—especially while on a call when TOAD attacks typically occur.

Staying Safe: Practical Tips for Users

At this point, SuperCard X is not distributed via the Google Play Store, but that doesn't mean it's not a risk. Users should remain cautious about installing apps from third-party sources, especially if prompted to do so during a phone call. Here are a few key precautions:

  • Avoid installing apps from unknown sources unless absolutely necessary.
  • Be skeptical of urgent messages claiming to be from banks—verify them through official channels.
  • Keep Google Play Protect enabled to detect potentially harmful apps.
  • Scrutinize app permissions and check reviews before installing anything new.

SuperCard X represents a leap forward in mobile-enabled financial fraud, blending manipulation, technical sophistication, and stealth. While the malware is currently limited in scope, its potential impact is vast—making awareness and vigilance the best first lines of defense.

By Willa
April 22, 2025
Android Malware
English
April 22, 2025
Android Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Android Malware

PINEFLOWER Mobile Malware

PINEFLOWER is the name of a family of mobile malware variants that is associated with an Iranian advanced persistent threat actor that is believed to be sponsored by the state. A research team with security firm... Read more

September 16, 2022
Android Malware

AIVARAT Mobile Malware

AIVARAT is the name of a newly detected strain of mobile malware. The new threat is a remote access trojan or a RAT, as the name implies. The capabilities of the new malware are considerable. AIVARAT can scrape and... Read more

July 15, 2022
Android Malware

Predator Mobile Malware Targets Android Phones

Security researchers with Google's Threat Analysis Group (TAG) have recently published detailed information on a piece of mobile malware affecting Android devices. The mobile malware is named PEDATOR and was used in... Read more

May 20, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.