A new cybersecurity threat is making waves in the mobile security landscape as researchers from antifraud firm Cleafy unveil a dangerous Android Malware known as SuperCard X. This malware exploits the Near Field Communication (NFC) feature in Android devices, enabling cybercriminals to instantly drain victims’ bank accounts by authorizing fraudulent transactions in real-time.
According to Cleafy’s report, SuperCard X operates as a “malware-as-a-service” (MaaS) platform primarily targeting users through deceptive SMS or WhatsApp messages. These messages pose as urgent alerts from banks, warning recipients of suspicious activity on their accounts. Victims are then urged to call a phone number for assistance. Once on the call, attackers use social engineering tactics to extract sensitive information, such as banking PINs, and coax users into removing security limits on their banking apps.
The final step in the scam involves convincing the victim to download what appears to be a harmless app. However, this app secretly installs the SuperCard X malware, which contains a covert NFC-relay function that begins the real-time theft operation.
How SuperCard X Executes Real-Time Fraud?
Once installed, SuperCard X enables attackers to hijack the NFC signal when the victim unknowingly places their credit or debit card near the infected phone. The malware captures the card data transmitted through NFC and relays it via a command-and-control (C2) server to a second device controlled by the attacker.
Using this stolen data, the attacker’s device can mimic the victim’s card to carry out unauthorized contactless payments at point-of-sale (POS) terminals or even withdraw money from ATMs that support NFC-based transactions. Researchers noted that this process takes place almost instantaneously—an alarming development that mimics the speed and convenience of legitimate instant payment systems.
Cleafy stated that this campaign, which has already been observed in Italy, is particularly dangerous due to its low detection rate. Most antivirus solutions currently fail to flag the malware, largely because it requires minimal permissions and camouflages itself well within the Android system.
Interestingly, SuperCard X appears to be based on or inspired by previous open-source research tools like NFCGate and bears strong resemblances to Android malware known as NGate, previously uncovered by cybersecurity firm ESET.
Implications and Recommendations for Users
The emergence of SuperCard X underscores a troubling trend in cybercrime—threat actors executing attacks in real-time, leaving little to no window for banks or victims to respond. The malware’s efficiency not only allows criminals to move stolen funds quickly but also enables them to immediately spend or withdraw the illicit gains.
Cybersecurity experts warn that traditional fraud detection systems may not be fast enough to catch these transactions in time. Therefore, real-time threat detection and improved user awareness are key to combating such threats. Cleafy emphasized the importance of verifying suspicious messages by contacting banks directly, rather than relying on contact information provided in unsolicited texts.
The SuperCard X incident serves as a reminder of the rising sophistication of mobile malware and the critical role of social engineering in successful attacks. To minimize risk, users are urged to be cautious about installing unknown applications and to remain skeptical of unexpected banking alerts delivered via SMS or messaging platforms.
Also Read :- Understanding SMS Bomber App in Simple Words
