A new Android malware-as-a-service (MaaS) platform called SuperCard X has emerged, posing a serious threat to banking customers through its innovative use of near-field communication (NFC) technology. Designed by a Chinese-speaking threat actor, the platform enables cybercriminals to carry out NFC relay attacks, facilitating unauthorized cash withdrawals and fraudulent transactions via point-of-sale (PoS) terminals and ATMs.
According to cybersecurity firm Cleafy, the malware is currently targeting customers of major banking institutions and card issuers in Italy. What sets this threat apart is its multi-layered attack approach—one that blends social engineering, telephone scams, malware installation, and sophisticated NFC data interception to bypass traditional security controls.
Smishing, TOAD, and Social Engineering: A Highly Manipulative Attack Chain
SuperCard X campaigns begin with smishing—fraudulent SMS messages—and deceptive WhatsApp messages that impersonate legitimate banking security alerts. Victims are tricked into believing their account is compromised and are urged to call a customer support number. This tactic creates a false sense of urgency and forces users into a state of panic, increasing the likelihood of compliance.
This is where TOAD (Telephone-Oriented Attack Delivery) comes into play. When victims call the number, threat actors posing as bank representatives guide them into downloading a malicious app under the pretense of installing “security software.” These apps have been identified as:
Verifica Carta (io.dxpay.remotenfc.supercard11)
SuperCard X (io.dxpay.remotenfc.supercard)
KingCard NFC (io.dxpay.remotenfc.supercard)
Once the app is installed, attackers further manipulate victims during the phone conversation to disclose sensitive information, such as their PIN codes, and even instruct them to remove spending or withdrawal limits from their accounts—allowing criminals to extract maximum funds.
NFC Relay Attack: The Core Exploit of SuperCard X
The real danger lies in the malware’s capability to intercept NFC transmissions. Victims are coaxed into placing their credit or debit card close to their phone. The installed malware then acts as an NFC “Reader,” silently capturing the card data being transmitted.
That stolen data is relayed in real-time to a second malicious app called a “Tapper”, which resides on the attacker’s device. This app emulates the physical characteristics of the victim’s card, tricking PoS systems and ATMs into treating it as a legitimate card during transactions.
Communication between the “Reader” and “Tapper” apps is facilitated via HTTP for command-and-control (C2) operations, but is further secured using mutual TLS (mTLS) encryption. This step adds a layer of stealth and ensures that only authorized actors can access the relayed data.
Before the malicious apps are distributed, threat actors set up user accounts within the SuperCard X platform. During the phone call, they provide victims with credentials and instruct them to enter these into the app. This critical action links the infected device to the attacker’s Tapper instance, enabling real-time relay and exploitation of card data.
Customized Malware Builds and Distribution Strategy
Cleafy researchers observed that the Reader malware apps show subtle differences in design, particularly in their login interfaces. This implies that affiliates working under the broader SuperCard X MaaS framework are generating custom builds of the app to suit their specific campaign goals or targets. These slight alterations make detection more difficult and allow actors to scale operations independently.
Although there is currently no evidence that the SuperCard X apps are available on the Google Play Store, their propagation via third-party sources still poses a severe threat to users who enable unknown sources on their devices. In response, Google is reportedly working on a new Android feature that restricts installations from unknown sources and prevents granting accessibility permissions, which are often abused by malware.
Implications and Recommendations
The emergence of SuperCard X introduces a major shift in the financial cybercrime landscape. Unlike traditional banking malware that targets apps or login credentials, this campaign attacks the physical security layer of contactless payment cards, allowing criminals to initiate unauthorized cash-outs without the victim’s direct involvement at the transaction point.
This tactic presents not only a severe risk to individual users but also significant implications for banks, credit card issuers, and payment processors, which may struggle to detect or mitigate NFC relay-based fraud. The real-time nature of this attack, combined with strong social engineering, makes it particularly difficult to defend against using conventional fraud detection systems.
To stay protected, users are advised to:
- Avoid installing apps from unknown sources.
- Be skeptical of unsolicited messages and never call numbers provided in suspicious SMS or WhatsApp messages.
- Keep Google Play Protect enabled to detect and block malicious apps.
- Regularly review app permissions and remove any unnecessary apps, especially those with NFC or accessibility permissions.
As Cleafy researchers noted, “This novel campaign introduces a significant financial risk that extends beyond the conventional targets of banking institutions. The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards. This method demonstrates high efficacy, especially when targeting contactless ATM withdrawals.”
