New Android virus discover that steals bank card data via NFC

By Alimat Aliyeva

Cybersecurity experts from Cleafy Threat Intelligence have uncovered a new large-scale malware campaign called SuperCard X, which specifically targets Android users. This sophisticated threat leverages NFC technology to steal bank data, enabling attackers to make contactless payments and withdraw cash from ATMs.

SuperCard X spreads through social engineering tactics. Victims receive phishing messages, typically via SMS or WhatsApp, disguised as communications from their bank. These messages trick users into calling back a fake number, where attackers, posing as bank representatives, extract sensitive details such as card numbers and PIN codes. Victims are then coerced into downloading a malicious application, presented as a security tool. The malware is sold as a service (MaaS) in closed Telegram channels.

Once installed, the malicious app requests minimal permissions, mainly access to the NFC module. The app prompts the victim to place their bank card near the phone for "verification." In reality, the malware reads the card’s chip data via NFC and transmits it to the attackers. Using this stolen information, the criminals can emulate the victim's card on their own Android devices, allowing them to make contactless payments or withdraw money from ATMs. These transactions are often for small amounts to evade detection by banking fraud detection systems.

SuperCard X shares notable similarities with the previously discovered NGate virus, especially in its social engineering tactics and NFC data extraction techniques. The malware’s combination of stealth and NFC data interception makes it especially dangerous, particularly for withdrawing funds through contactless ATMs. Cleafy experts have already documented cases of attacks in Europe.

One of the most alarming aspects of SuperCard X is its low detection rate. The malware is currently undetectable by most antivirus systems, which is attributed to its minimal permission requests and lack of overtly suspicious behavior. For instance, there is no screen overlay or other functions typically associated with malicious apps. Furthermore, the malware’s ability to emulate the victim’s card looks legitimate to payment services, signaling a high level of sophistication among the attackers. This indicates that the criminals behind SuperCard X possess a deep understanding of smart card protocols.

The attackers' ability to convincingly impersonate bank employees over the phone demonstrates advanced knowledge of social engineering techniques. Their use of phishing messages combined with psychological manipulation makes it more challenging for users to detect the scam.