SuperCard X Mobile Malware

A previously unknown Android Malware-as-a-Service (MaaS) platform named the SuperCard X is making waves in the cybercrime world. It empowers attackers to carry out near-field communication (NFC) relay attacks, enabling fraudulent transactions and ATM withdrawals. Targeting banking customers in Italy, this malware is believed to be promoted through Telegram channels, expanding its reach through underground cybercriminal networks.

The Deceptive Entry Point: Social Engineering at Its Worst

The SuperCard X employs a multi-stage attack chain, starting with classic social engineering tactics. Victims are lured through smishing campaigns or fake WhatsApp messages that impersonate banks, warning users about suspicious activity and prompting them to call a phone number.

Once contact is made, the tactic escalates into a Telephone-Oriented Attack Delivery (TOAD). During these calls, attackers convince victims to install what appears to be security software. The apps used in this ploy include:

• Verifica Carta (io.dxpay.remotenfc.supercard11)
• SuperCard X (io.dxpay.remotenfc.supercard)
• KingCard NFC (io.dxpay.remotenfc.supercard)

Victims are also manipulated into disclosing PIN codes and removing transaction limits, setting the stage for large-scale financial theft.

The Relay Mechanism: How the Tactic Works

At the core of the SuperCard X is a sophisticated NFC relay technique. Here's how it works:

• Victims are asked to hold their credit or debit card close to their infected phone.
• The Reader app on the victim's phone captures the NFC-transmitted card data.
• This information is sent via HTTP to a Tapper app on the attacker's device.
• The Tapper app emulates the stolen card data, allowing attackers to carry out unauthorized PoS or ATM transactions.

To link the devices, victims are instructed to enter login credentials during the call—credentials that connect the infected device (Reader) with the attacker's Tapper instance.

Customization, Communication and Control

The SuperCard X is modular and customizable, with variations in the login interface suggesting that different criminal affiliates tailor it to their specific campaigns. It also employs mutual TLS (mTLS) for encrypted communication amidst the malware and its Command-and-Control (C2) infrastructure.

To operate, cybercriminals must first register an account on the SuperCard X platform, enabling them to generate custom malware builds and manage NFC data relays seamlessly.

Staying Safe: What Users Should Know

Despite the advanced tactics, there are ways to stay protected:

• Avoid installing apps from unknown sources or links sent via SMS/WhatsApp.
• Scrutinize app permissions, reviews, and descriptions before downloading.
• Keep Google Play Protect enabled to scan and block suspicious apps.
• Beware of urgent messages that prompt you to call a number or provide sensitive data.

Google is reportedly developing new Android features to block app installations from unverified sources and restrict accessibility permissions, aiming to cut off this malware's distribution method at the source.

The Bigger Picture

The SuperCard X is not just another malware—it represents a threatening evolution in financial cybercrime. Leveraging contactless card technology introduces a scalable method for attackers to bypass physical card security. As it expands, it poses a serious threat not only to banking institutions but also to payment providers and card issuers worldwide.