Tapping into Trouble: SuperCard X and the Growing Threat of Contactless Card Fraud

Summary

CRIL came across a blog published by Cleafy, detailing a newly identified Android malware campaign dubbed SuperCard X. Distributed through a Chinese-speaking Malware-as-a-Service (MaaS) platform, the malware enables attackers to perform NFC relay attacks by intercepting contactless card data. Victims are deceived through smishing and phone-based social engineering into installing the malicious app and tapping their cards, which allows unauthorized transactions at ATMs and POS terminals. Its stealthy design and minimal permission use result in low detection rates across security solutions.

This campaign represents a major advancement in mobile financial fraud, extending its impact beyond traditional banking apps to payment providers and card issuers. With evident code overlap with the previously known NGate malware, SuperCard X exemplifies the increasing sophistication of mobile threats. The coordinated use of social engineering, malware deployment, and NFC exploitation makes this a highly effective and scalable fraud technique, significantly raising the risk to financial institutions and their customers.

Technical Details

The mobile threat landscape is becoming more advanced, especially in the financial sector. A recent fraud campaign in Italy used a new Android malware called SuperCard X, which spreads through a Malware-as-a-Service (MaaS) platform. This allows attackers in different regions to run similar scams. The attack uses fake messages, phone scams, and malware to steal card data through NFC in real time. Because of its stealthy design, banks and card issuers should stay alert to this rising threat.

Breakdown of the Attack

This fraud campaign begins with fake SMS or WhatsApp messages posing as bank alerts, urging victims to call a number. During the call (a TOAD attack), scammers gain trust and trick victims into sharing sensitive info like PINs or banking app access, sometimes asking them to remove card limits.

Next, victims are sent a link to download an app that secretly carries the SuperCard X malware. Once installed, the app captures card data when the victim taps their card to the phone. This data is sent to attackers, who use it for unauthorized payments or ATM withdrawals.

Malware Architecture and Functionality

SuperCard X operates using a dual-application structure provided to affiliates. The first app, known as the "Reader," is installed on the victim’s device and is used to capture card data. The second app, called the "Tapper," is used by the attacker to mimic the captured card data for fraudulent transactions. These two apps communicate through a central Command and Control (C2) server, which facilitates data relay between devices.

Each affiliate using the MaaS platform is given login credentials to link the victim's app to their Tapper device. This connection ensures that only authorized threat actors within the SuperCard X ecosystem can use the stolen data for fraud. The malware also uses Answer To Reset (ATR) messages, commonly used in NFC communications, to emulate physical cards and trick POS terminals or ATMs into accepting the fake transaction.

Detection and Evasion Techniques

SuperCard X currently flies under the radar of most antivirus tools. This is partly due to its minimalist design—it only requests basic permissions like NFC access and avoids behavior that would typically raise suspicion. Unlike other Android malware that uses overlays or SMS interception, SuperCard X sticks to one primary function: NFC data theft.

Another security feature used by SuperCard X is mutual TLS (mTLS). This ensures that only devices with the correct digital certificates can communicate with its servers. If a device attempts to connect without a valid certificate, the server rejects the connection. This makes it harder for researchers or law enforcement to analyze or intercept the malware’s communications.

Regional Customization and Obfuscation

Analysis of the campaign targeting Italy revealed several unique traits in the malware samples. These include customized builds that remove the “Register” button on the login screen since the threat actors create the accounts for the victims in advance. This makes the interface simpler and more believable, reducing the risk of suspicion.

In addition, the Italian versions of the malware have removed any direct references to SuperCard X’s official Telegram channels. Affiliates likely used these for communication and support. Their removal suggests an effort to avoid detection or attribution, making it harder to trace the campaign back to its source.

Recommendations

• Avoid clicking on links or calling numbers from unexpected SMS or WhatsApp messages claiming to be from your bank. Always verify such alerts directly through official banking channels.

• Legitimate banks will never ask for your PIN or password or to install third-party apps over the phone. If asked to do so, treat it as a red flag and disconnect immediately.

• Install apps only from trusted sources, such as the Google Play Store. Keep your device’s operating system and antivirus software up to date to protect against emerging threats like SuperCard X.

Conclusion

The CrazyHunter ransomware campaign represents a highly targeted and sophisticated threat, primarily aimed at Taiwanese organizations in critical sectors. By leveraging opensource tools and BYOVD techniques, the group effectively bypasses s were revealedecurity defenses and ensures successful payload deployment. Their rapid evolution and strategic focus highlight the growing danger posed by threat actors using publicly available tools for customized attacks. Proactive security measures and monitoring are essential to counter such advanced threats.