SuperCard X Malware Targets Android Users with Sophisticated NFC Relay Attacks

A dangerous new malware-as-a-service (MaaS) platform dubbed SuperCard X has surfaced on the cybercrime scene, enabling threat actors to carry out stealthy near-field communication (NFC) relay attacks on Android devices. These attacks allow cybercriminals to perform unauthorized point-of-sale and ATM transactions by emulating payment cards stolen through social engineering.

According to mobile security firm Cleafy, SuperCard X has already been observed in the wild, with active campaigns detected in Italy. Its emergence marks a significant evolution in mobile financial fraud, leveraging both advanced technical tactics and slick social manipulation.

A Glimpse Into the Underworld

Chinese-speaking threat actors and shares significant code similarities with NFCGate, an open-source NFC research project that reportedly operates SuperCard X. It also resembles NGate, a known malicious offshoot of NFCGate that has been used in similar attacks across Europe since 2023. This lineage suggests that SuperCard X builds upon existing tools but packages them into a more user-friendly and commercially viable product aimed at affiliates.

The platform is actively promoted through Telegram channels, where cybercriminals are offered the malware package and technical support, making it easier for even low-skilled actors to deploy attacks. These channels act as both black-market storefronts and user support forums, reinforcing the “as-a-service” model.

How SuperCard X Operates?

The SuperCard X attack chain begins with highly targeted social engineering. Victims receive fraudulent SMS or WhatsApp messages posing as alerts from their bank. These messages prompt the recipient to call a number to address a supposed security issue.

Once on the line, the victim is connected with a scammer impersonating a bank representative. The attacker uses persuasion tactics to trick the victim into revealing their payment card information, including PIN numbers. The victim is also manipulated into removing spending limits from their mobile banking apps under the guise of verifying their identity or resolving the issue.

The final step involves convincing the victim to install a fake security application—often disguised as a legitimate “Reader” app—that secretly contains the SuperCard X malware.

Despite its malicious intent, the app cleverly requests minimal permissions, focusing mainly on access to the device’s NFC module. This minimalist approach helps the malware avoid detection by both the user and security tools.

Once installed, the scammer instructs the user to tap their payment card to their phone, allegedly for verification. In reality, this transfers chip data to the malware, relaying the information to the attacker in real time.

From Theft to Transaction

The stolen card data is sent to a second Android device controlled by the attacker. This device runs another app, often called “Tapper”, which uses the stolen data to emulate the victim’s card via NFC.

Using the emulated card, this setup allows attackers to carry out contactless transactions, including retail purchases and ATM withdrawals. While transaction amounts may be limited, these payments’ rapid nature and apparent legitimacy make them difficult for banks to detect or reverse.

Industry Response and Warnings

BleepingComputer reached out to Google regarding the presence of SuperCard X on the Play Store. A spokesperson responded:

“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.” — Google spokesperson

Despite these safeguards, SuperCard X is a powerful reminder of the growing sophistication of mobile malware and the ongoing weaponization of legitimate smartphone features for criminal gain.

Final Thoughts

SuperCard X exemplifies a broader trend in the cybercrime ecosystem: the professionalization of malicious tools. With custom builds tailored for regional campaigns and real-time customer support offered via encrypted messaging platforms, MaaS operations like this blur the line between hacking and commerce. As NFC becomes more deeply integrated into mobile payment systems, such threats will evolve and expand.