A new Android malware called SuperCard X is enabling cybercriminals to instantly steal funds from victims’ bank accounts by exploiting NFC (Near Field Communication) technology, typically used for tap-to-pay features. The attack is not only fast and stealthy but also relies heavily on social engineering to bypass user defenses.
Discovered by cybersecurity firm Cleafy, the malware is part of a malware-as-a-service (MaaS) platform. SuperCard X allows threat actors to perform fraudulent cash-outs almost instantly. It achieves this through a novel NFC relay technique that intercepts and forwards payment data in real time, enabling unauthorized POS transactions and ATM withdrawals.
How the SuperCard X Malware Attack Works
In a real-world campaign Cleafy investigated in Italy, attackers first make contact through fake SMS or WhatsApp messages. These messages usually impersonate bank alerts warning of suspicious outgoing transactions. Victims are urged to call a phone number to dispute the charge.
Once the victim calls, the attacker uses social engineering tactics to gather sensitive details like banking PINs and convinces the user to remove spending limits on their bank account. The attacker then pushes a mobile app link via message. This app appears harmless but secretly installs SuperCard X malware.
Once installed, the malware quietly enables NFC-relay functionality. The attacker then instructs the victim to tap their card against their infected phone, supposedly to “verify” or “cancel” a transaction. This step is crucial—SuperCard X intercepts and captures the NFC data, such as card details, during the tap.
That data is then relayed through a command-and-control (C2) infrastructure to a second Android device controlled by the attacker. Using this second device, the criminal can make unauthorized tap-to-pay purchases at retail stores or even withdraw cash via contactless ATMs.
Cleafy researchers noted the speed of execution is what makes this threat alarming. Unlike wire transfer fraud, which can take hours or days to process, this attack allows instant access to stolen funds and services.
“It resembles an ‘instant payment’ but with the added advantage for the attacker of immediately gaining access to the purchased goods or services,” Cleafy’s report stated.
Detection Challenges and Malware Origins
One reason SuperCard X is so dangerous is its low detection rate among common Android antivirus solutions. The malware requests only minimal permissions when installed, helping it evade traditional scans.
Cleafy pointed out that while this malware is new, it shares a technical foundation with NFCGate, an open-source project from the Technical University of Darmstadt in Germany. It also shows similarities to NGate, another Android malware identified by ESET researchers in 2023.
The malware-as-a-service model suggests that multiple cybercriminal groups could adopt and customize SuperCard X for various regions and targets. Cleafy’s report includes indicators of compromise (IoCs) and other technical details to help defenders respond.
“SuperCard X is part of a rising trend of real-time cyberattacks, where malware acts immediately and criminals get paid instantly,” said one Cleafy researcher.
Another recent example includes a credential phishing campaign documented by Abnormal Security, where attackers verified login attempts in real time using a fake Microsoft SharePoint portal.
Security Awareness: Still the First Line of Defense
While Cleafy recommends real-time detection systems to mitigate this threat, experts emphasize the human factor. The success of SuperCard X relies heavily on tricking users. Victims willingly call the attacker, provide banking info, and even tap their cards against their own infected devices.
Good security training could stop this. Had the victim contacted their bank directly—rather than calling the number in the message—the attack could have been avoided entirely.
As NFC usage continues to grow, consumers must become more cautious about how they interact with devices and verify financial alerts. Organizations should prioritize anti-phishing education, multi-layered security, and app monitoring to detect hidden malware before it executes.
