Threats Android Malware SuperCard X Steals Payment Info Via NFC

Payment card fraud (also known simply as "carding") isn’t new — but it’s getting smarter and more sophisticated. From classic ATM skimming to fake point-of-sale (POS) terminals, tax phishing, crypto-jacking, and triangulation fraud, criminals are always looking for new ways to conduct financial fraud. The rise of mobile payment systems introduces new risks, particularly when social engineering is used to manipulate victims into compromising their own devices. Corporations issuing payment cards to employees or individuals could find themselves exposed if they don’t stay ahead of the newest scam tactics.

The newest scam on the block, known as SuperCard X, is a new Android malware designed to silently steal payment card data using the victim’s own smartphone. This article explores how SuperCard X works, how attackers are delivering it through social engineering, and why it represents a growing risk to financial security.

What is SuperCard X?

SuperCard X is a newly uncovered Android malware operating under a Malware-as-a-Service (MaaS) model. SuperCard X enables attackers to steal payment card information by capturing NFC (Near-Field Communication) signals when a physical credit or debit card is tapped against an infected smartphone. Security analysts at Cleafy have observed that trojan apps containing SuperCard X are designed to not raise suspicion, requesting minimal permissions to avoid detection by antivirus (AV) software.

The malware’s architecture includes two core components: a "Reader" application that harvests NFC data from the victim and a "Tapper" application used by attackers to emulate the stolen card information. Once installed, the malware immediately intercepts NFC communications from the victim’s device and transmits the stolen data to the attackers. After receiving the stolen payment card information, attackers use it to perform fraudulent purchases at POS terminals or conduct ATM withdrawals.

Compared to other forms of banking malware, SuperCard X’s operation is fast-acting— allowing immediate fraudulent transactions— and by its stealth, remaining largely undetected by AV solutions due to its minimal permission profile and obfuscated behaviors.

Who is Launching SuperCard X Attacks?

The campaigns involving SuperCard X have been traced to Chinese-speaking threat actors who promote the malware through underground forums that specialize in financial fraud. Researchers at Cleafy observed that the malware is being marketed as a service to affiliates, who use it in regional campaigns.

The current wave of attacks primarily targets victims in Italy, but due to the Malware-as-a-Service distribution model, SuperCard X has strong potential to spread globally as affiliates adopt it for use in other countries. For example, ThaiCERT, Thailand's emergency response agency has issued an alert for SuperCard X attacks. 

Social Engineering Used to Install SuperCard X

Recent campaigns delivering SuperCard X have relied on a complex social engineering scheme to trick victims into installing the malware and then tap their payment card to their own phone. Researchers warn that the combined use of both SMS phishing (smishing) text messages, email, and voice calls increases the success rate of these attacks by making the communication seem more legitimate.

Here's how SuperCard X attacks progress:

• A victim receives a SMS (smishing) or WhatsApp phishing message claiming to be from their bank warning them about suspicious account activity

• The victim is instructed to call a phone number to resolve the issue

• Attacker posing as a bank agent persuades the victim to share their banking PIN to verify their account ownership and then remove their payment card spending limits

• Next, the victim is convinced to install a "security app" which is actually a trojan malware containing SuperCard X

• Finally, the victim is instructed to tap their credit or debit card on the infected phone, and SuperCard X transmits their card data to the attackers

Protecting Yourself Against SuperCard X Attacks

Strong resilience against SuperCard X infections — and similar NFC-based fraud — requires a combination of technical security measures and user awareness training. Here are key steps you can take:

• Be cautious of unsolicited calls claiming to be from your bank. Always know your bank’s official fraud communication policies.

• Remember that caller ID numbers can be spoofed. If you receive a suspicious call, hang up and contact your bank directly using a known official number.

• Turn off NFC tap-to-pay functionality on your cards when not needed, or use an NFC-blocking wallet for additional protection.

• Use mobile payment apps that require biometric authentication, such as fingerprint or facial recognition, before approving any transaction.

• Inspect POS terminals and ATMs for signs of tampering, including rogue devices that may be attached to skim payment card data.

• Monitor your banking and card transactions regularly to quickly detect and report any unauthorized charges.

• Prepare and distribute policy information sheets with all payment cards issued to staff, outlining safe usage practices and fraud response steps.

• Conduct regular cybersecurity awareness training for staff to ensure they recognize social engineering attacks and understand the risks of payment card fraud.

• In 2024, the NSA advised users to power cycle their mobile devices regularly to thwart fileless spyware

Conclusion

SuperCard X represents a new threat to Android users, exploiting NFC technology to instantly steal payment card information. Delivered through sophisticated social engineering, the malware enables attackers to cash out quickly and silently. With campaigns already targeting victims in Italy, organizations and individuals must stay vigilant against this fast-moving, low-detection malware.