A new malware-as-a-service (MaaS) platform named SuperCard X has been identified, targeting Android devices through NFC relay attacks to steal and misuse payment card data. This threat enables fraudulent point-of-sale (POS) and ATM transactions by cloning compromised cards, posing significant risks to financial security. The malware, linked to Chinese-speaking actors, leverages social engineering and low-detection evasion techniques, making it a pressing concern for security professionals.
TL;DR: Key Points
- Threat: SuperCard X uses NFC relay attacks to clone payment cards.
- Distribution: Spread via Telegram and phishing (fake bank SMS/WhatsApp).
- Evasion: 0/56 AV detections on VirusTotal; uses mTLS for C2 communication.
- Targets: Banking customers globally, with active campaigns in Italy.
- Mitigation: Disable NFC when unused; monitor rapid contactless transactions.
Technical Analysis of SuperCard X
SuperCard X operates as a MaaS platform, allowing attackers to customize builds for regional campaigns. The malware is distributed through phishing messages impersonating banks, directing victims to download a malicious app named “Reader”. Once installed, it requests only the android.permission.NFC permission, minimizing suspicion. The malware captures card data via NFC and relays it to the attacker’s “Tapper” app for cash-out operations1.
Cleafy’s report highlights that SuperCard X uses ATR-based emulation to spoof cards, bypassing physical theft requirements. The malware’s C2 infrastructure relies on mutual TLS (mTLS), complicating detection and analysis. Custom builds for Italian victims removed the “Register” button, indicating adaptability to regional targets2.
Detection and Mitigation Challenges
SuperCard X’s low detection rate (0/56 on VirusTotal) underscores its sophistication. The malware’s use of benign-looking icons (e.g., “Verifica Carta”) and minimal permissions further evade scrutiny. Google Play Protect has mitigated known versions, but sideloaded apps remain a risk1.
Banks are advised to monitor for small, rapid contactless transactions, a hallmark of NFC relay fraud. Users should disable NFC when not in use and verify bank communications to avoid phishing traps. Android’s Play Protect and restricted sideloading are critical defenses3.
Relevance to Security Teams
For threat intelligence researchers, SuperCard X’s MaaS model signals potential global expansion. Indicators of compromise (IOCs) include domains like api.kingcardnfc[.]com and hashes such as 2c6b914f9e... (Verifica Carta)2. SOC analysts should prioritize monitoring for mTLS traffic and unusual NFC activity.
Red teams can simulate NFC relay attacks to test organizational defenses, while blue teams should enforce NFC usage policies and educate users on social engineering risks. System administrators must ensure Play Protect is enabled and sideloading restricted on enterprise devices.
Conclusion
SuperCard X represents a significant evolution in NFC-based financial fraud, combining low detection rates with a scalable MaaS model. Its adaptability to regional targets and use of mTLS for C2 communication pose unique challenges for detection and mitigation. Proactive measures, including user education and transaction monitoring, are essential to counter this threat.
References
- “SuperCard X Android malware uses stolen cards in NFC relay attacks,” BleepingComputer, Apr. 19, 2025.
- “SuperCard X: Exposing Chinese-speaking MaaS for NFC relay fraud operation,” Cleafy, Apr. 2025.
- “New Android malware NGate steals NFC card data for relay attacks,” The Hacker News, Aug. 2024.
