A sophisticated Android malware campaign dubbed SuperCard X has emerged, posing a significant threat to financial institutions and cardholders worldwide. This malicious software uses an advanced Near-Field Communication (NFC) relay technique, allowing attackers to authorise fraudulent Point-of-Sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices.
How SuperCard X Works
Unlike traditional banking trojans that steal login credentials, SuperCard X targets the physical communication between payment cards and terminals. The malware combines social engineering with smart technology to connect a victim’s card to an attacker’s device—no matter how far apart they are. This makes it harder for financial institutions to detect.
The attack typically unfolds as follows:
- Initial Contact: Victims get fake messages (via SMS or WhatsApp) pretending to be from their bank about suspicious activity.
- Social Engineering: When victims call the number, they speak to scammers who convince them to take certain steps.
- App Installation: Victims are tricked into installing a malicious “Reader” app on their Android phones.
- Data Capture: Victims are told to tap their card to their phone. The malware then relays this data to the attacker.
- Fraudulent Transactions: The attacker uses a device to mimic the card and make unauthorised purchases or withdrawals elsewhere.
Technical Details
The SuperCard X malware has two parts:
- Reader App: Installed on the victim’s phone to capture NFC data.
- Tapper App: Used by the attacker to receive the data and emulate the card.
Both apps communicate using HTTP and rely on a command-and-control server. They require special tokens to work properly, suggesting a structured Malware-as-a-Service setup.
Where It Came From
The malware is believed to come from Chinese-speaking hackers. It shares similarities with an open-source project called NFCGate and another malware called NGate. SuperCard X stands out because it focuses solely on the NFC relay technique, making it smaller and harder to detect.
Why It’s Dangerous
SuperCard X doesn’t rely on logging into online banking. Instead, it goes after the actual payment process. It can be used on any card—not just ones from a specific bank—and allows attackers to move money fast, with little time for users to react.
How to Protect Yourself
- Be skeptical: Don’t trust unexpected messages about bank activity.
- Verify directly: Contact your bank using official contact info, not links in messages.
- Avoid unknown apps: Don’t install apps from unknown sources or based on random instructions.
- Watch your accounts: Check your bank statements regularly for strange activity.
Staying alert and cautious is the best defense against malware attacks and online fraud.
For more information and tips to help you choose the best credit card in NZ, visit our website Credit Cards Compare.
