This report details a newly identified and active fraud campaign, highlighting the emergence of sophisticated mobile malware leveraging innovative techniques:
The Cleafy Threat Intelligence team has identified a new and sophisticated Android malware campaign, dubbed 'SuperCard X’. This campaign employs a novel NFC-relay technique, enabling Threat Actors (TAs) to fraudulently authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices. The malware is distributed through Social Engineering tactics, deceiving victims into installing the malicious application and subsequently “tapping” their payment cards on their infected phones.
Preliminary analysis suggests that TAs are leveraging a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X. This malware exhibits significant code overlap with the previously documented NGate malware discovered by ESET in 2024.
This novel campaign introduces a significant financial risk that extends beyond the conventional targets of banking institutions to affect payment providers and credit card issuers directly. The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards. This method demonstrates high efficacy, especially when targeting contactless ATM withdrawals.
The mobile threat landscape, particularly within the financial sector, is marked by a relentless evolution towards greater sophistication and scalability. As established attack vectors mature, novel trends emerge, introducing advanced functionalities that redefine the threat paradigm. A significant new trend challenging traditional banking institutions, payment institutions, and card issuers is the abuse of Near-Field Communication (NFC) technology. TAs increasingly exploit NFC capabilities to capture and relay sensitive data exchanged via this protocol. This emerging threat is not confined to a single region; recent reports, including those covered by KrebsOnSecurity, detail similar NFC-enabled fraud schemes in the US, leading to arrests linked to Chinese actors.
This article delves into a particularly active fraud campaign targeting Italy, which we assess to be associated with a previously undocumented Android malware offered through a Malware-as-a-Service (MaaS) model promoted as 'SuperCard X'. The nature of MaaS enables multiple affiliates to operate locally within their own regions or areas of specific interest. Consequently, we cannot exclude the possibility of similar or related campaigns being active in other regions globally.
Our analysis will provide a comprehensive breakdown of the group's techniques, encompassing both sophisticated social engineering tactics and the deployment of this novel Android malware. We will detail the entire fraud lifecycle, from the initial phishing campaigns designed to deliver SuperCard X to the eventual cash-out operations exploiting the relayed NFC data. Given the potential for widespread impact due to the MaaS distribution model, we strongly recommend that banking institutions and card issuers maintain heightened vigilance regarding these emerging attack scenarios.
The execution of this sophisticated fraud campaign unfolds through a series of well-orchestrated steps initiated by a targeted social engineering strategy. The attack typically starts with deceptive messages, often delivered via SMS or WhatsApp, designed to instil a sense of urgency or alarm in the recipient. These messages commonly impersonate bank security alerts, notifying users of a suspicious outgoing payment. The message prompts potential victims to call a specific number to dispute the transaction. This initial contact establishes a Telephone-Oriented Attack Delivery (TOAD) scenario, where TAs leverage direct phone conversations to manipulate their targets.
During the ensuing phone call, the TAs employ persuasive social engineering tactics to guide victims through actions that ultimately compromise their payment card details. This multi-stage manipulation involves:
The following diagram illustrates the high-level overview of the described scenario:
It is important to emphasize the impact of this threat, as it no longer fits within the traditional fraud paradigm where the targets were customers of a specific bank. On the contrary, the operational context of this attack is mainly agnostic of the financial institution involved since the ultimate target of the fraudsters is the customers’ debit or credit cards, regardless of the issuing bank.
At the same time, one must consider the implications in terms of execution speed. Unlike traditional fraud scenarios, such as wire transfers, which may take up to two business days to process, allowing time for detection and intervention, this type of attack is executed instantly. It resembles an “instant payment” but with the added advantage for the attacker of immediately gaining access to the purchased goods or services. This creates a dual benefit for the fraudster: the rapid movement of stolen funds and the immediate usability of the fraudulent transaction.
This section provides a detailed technical analysis of the SuperCard X malware, facilitating Italy's observed NFC-relay fraud campaign. SuperCard X, while a newly identified threat in this context, exhibits strong foundational similarities with NFCGate, an open-source tool developed and released by the Technical University of Darmstadt (Germany) and publicly available on GitHub. SuperCard X also shares significant characteristics with NGate, an Android malware discovered by ESET in 2024 that similarly focused on exploiting NFC capabilities for malicious purposes in the Czech Republic. The close resemblance between SuperCard X and NGate strongly suggests that both malware families are built upon the reutilization of code and concepts originating from the NFCGate open-source project.
The infrastructure underpinning the SuperCard X malware and its NFC relay capabilities involves a modular design, leveraging two distinct applications provided to its affiliates: "Reader" (identified by a blue icon) and "Tapper" (identified by a green icon). The following Figure illustrates that the "Reader" application is the malicious component distributed to victims for capturing NFC card data. At the same time, the “Tapper” is installed into a device controlled by TAs.
Communication between the "Reader" and "Tapper" applications is facilitated through the HTTP protocol. This protocol utilizes a Command and Control (C2) infrastructure provisioned by the SuperCard X Malware-as-a-Service (MaaS) platform operators. This centralized C2 infrastructure is the intermediary for relaying the captured NFC data in real time.
To ensure the correct traffic routing between the various affiliates utilizing the MaaS platform, the "Reader" and "Tapper" applications require users to log in upon initial launch. This login procedure, as depicted in the provided screenshot of the login page, serves as an authentication and identification mechanism within the SuperCard X ecosystem.
During the execution of a fraud scenario, the TAs proactively create an account within the SuperCard X platform. Once the victim has successfully installed the "Reader" application on their device (guided by the TAs via phone), the TAs communicate the pre-generated login credentials to the victim. This step is crucial as it establishes the link between the victim's infected device and the specific TA's "Tapper" instance, enabling the subsequent relay of the captured NFC data for fraudulent cash-out operations.
It’s worth mentioning that the “Reader” application contains an embedded file that stores multiple Answer To Reset (ATR) messages. These messages, typically used to initiate and negotiate communication parameters between a smart card and an NFC reader, are reused to facilitate card emulation. When the "Reader" captures and relays a victim’s card data, the corresponding ATR is transmitted via the C2 infrastructure to the "Tapper" device that is going to use this message to emulate a virtual card, effectively deceiving point-of-sale (POS) terminals or Automated Teller Machine (ATM) into recognizing it as a legitimate physical card. By leveraging ATRs, SuperCard X enables seamless, real-time relay attacks, allowing threat actors to bypass physical proximity constraints and carry out fraudulent transactions.
An important aspect of SuperCard X is its current low detection rate among prevalent AV solutions. At the time of writing, samples analyzed by our team remain largely undetected by most vendors, as evidenced by the following Figure:
This low detection efficacy can be attributed, in part, to the malware's focused functionality and consequent minimalistic permission model, which is a stark contrast to the extensive permission requests typical of modern, multi-functional Android banking trojans.
Unlike its more complex counterparts, which often incorporate features such as remote control, SMS interception, and overlay attacks, SuperCard X primarily concentrates on a single, albeit highly effective, capability: NFC relay. The following snippet from its Manifest file highlights that the application predominantly declares only the essential android.permission.NFC permission. Alongside this, we observe only standard, non-suspicious permissions typically associated with basic application functionality. This deliberate limitation in requested permissions allows SuperCard X to perform its malicious core function while maintaining a benign profile.
SuperCard X employs mutual TLS (mTLS), a robust authentication mechanism, to secure communication with its C2 infrastructure. As highlighted in the following Figure, this approach goes beyond standard TLS encryption by requiring both the client (the SuperCard X application on the victim's device) and the C2 infrastructure to authenticate each other using digital certificates.
When a client attempts to connect to the C2 endpoint without providing the required client-side TLS certificate, the server responds with a 400 Bad Request error, explicitly stating "No required SSL certificate was sent." This effectively prevents unauthorized clients from interacting with the backend infrastructure, adding an additional layer of access control and hindering analysis attempts. Instead, when a client, possessing the correct client-side TLS certificate, connects to the C2 server, the server accepts the connection and proceeds with the communication.
During our Threat Intelligence investigations into the SuperCard X campaign targeting Italy, our team identified several malware samples exhibiting characteristics suggesting the presence of custom builds tailored for specific affiliates or regional operations. While the core NFC relay functionality remains consistent across these builds, we observed a few modifications likely aimed at hindering detection and removing direct references to the MaaS Official Telegram channel.
As illustrated in the comparison of the login screens, a key customization observed in these specific Italian campaign samples is removing the "Register" button. This modification aligns with the observed fraud scenario, where TAs pre-create accounts and directly provide login credentials to victims, rendering the in-app registration functionality unnecessary. This seemingly minor alteration streamlines the user interface of the malicious application presented to the victim, potentially reducing suspicion. Moreover, a better decoy has been implemented to mask the malicious nature of the application by using a benign-looking icon and application name.
Our analysis also revealed efforts to remove direct references to the Telegram channels associated with the SuperCard X MaaS platform within these custom builds. In the standard versions, these references likely serve as a communication or support channel for affiliates. Removing these indicators suggests the operators or the specific affiliates attempt to distance their operations and make attribution slightly more challenging.
As highlighted in this report, this new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC. This process allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers.
Another noteworthy aspect of this malware is its low fingerprinting profile. The malicious application merely collects NFC data and transmits it over a communication channel, making it less detectable through conventional behavioral analysis. Moreover, according to internal insight and investigation, we started to observe that NFC capabilities aren't limited to SuperCard X. Still, it's starting to be explored and embedded even in more conventional malware families, such as Copybara or DroidBot.
In conclusion, while this type of attack relies on relatively simple social engineering techniques, it proves to be highly effective—both in terms of success rate and cashout efficiency. Using multiple attack vectors within the same fraud campaign adds another layer of complexity.This multichannel approach poses additional challenges for monitoring efforts and highlights the growing need for real-time detection capabilities.
Malware samples:
C2 servers:
Be among the first people worldwide to receive comprehensive technical reports on newly uncovered threats.
Subscribe now
