Android Malware SuperCard X Allows For Fraudulent ATM Withdrawals
In a new report published by fraud prevention firm Cleafy, researchers have discovered a new Android-based malware, named SuperCard X, that is capable of fraudulently authorizing Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying Near Field Communications (NFC) from compromised devices.
The targeting and abusing of NFC, using what has been termed an NFC Relay Attack, can be defined as,
Relay attacks generally occur between two entities that communicate with each other through wireless means. When a relay attack between a honest prover and a honest verifier occurs, an adversary tricks the prover and verifier into believing that they are indeed communicating with each other. Such attacks are rather difficult to identify and prevent since a passive adversary does not modify any of the communicated messages between prover and verifier. RFID/NFC-based applications are particularly vulnerable to such attacks. We provide an overview of RFID-based relay attacks and evaluate various streams of research that have attempted to address these attacks. Specifically, we consider distance-bounding techniques and the use of artificial or natural ambient conditions, with specific emphasis on the latter.
Researchers noted that threat actors are leveraging the malware via a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X. This malware exhibits significant code overlap with the previously documented NGate malware discovered by ESET in 2024.
The discovered attack campaign introduces a significant financial risk that extends beyond the conventional targets of banking institutions to directly affect payment providers and credit card issuers. The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards. This method demonstrates high efficacy, especially when targeting contactless ATM withdrawals.
One of the key factors in this attack campaign is the sophisticated phishing tactics employed. The attack typically starts with deceptive messages, often delivered via SMS or WhatsApp, designed to instill a sense of urgency or alarm in the recipient by impersonating bank security alerts and notifying users of a suspicious outgoing payment. The message prompts potential victims to call a specific number to dispute the transaction.
This initial contact establishes a Telephone-Oriented Attack Delivery (TOAD) scenario, where threat actors leverage direct phone conversations to manipulate their targets. These calls are designed to manipulate the victim into removing security controls associated with bank cards and banking institutions. A successful call will enable a threat actor to:
- Gain PIN codes for victim-controlled bank cards.
- Remove banking limits to potentially steal more funds from the victim.
- Manipulate victims into installing malware packages that enable NFC relay attacks, like SuperCard X.
- The last step is to capture the NFC data stored on the bank card. This is done by instructing the victim to bring their physical debit or credit card into proximity to their infected mobile device. The SuperCard X malware then silently captures the card details transmitted via NFC. This data is intercepted in real-time and relayed through a Command-and-Control infrastructure to a second, attacker-controlled Android device.
SuperCard X Analysis
The core SuperCard X malware and its NFC relay capabilities rest in the "Reader" and "Tapper" functions. Communication between the "Reader" and "Tapper" applications is facilitated through the HTTP protocol. This protocol utilizes a Command-and-Control infrastructure provisioned by the SuperCard X Malware-as-a-Service (MaaS) platform operators. This centralized infrastructure is the intermediary for relaying the captured NFC data in real-time.
Researchers further noted,
During the execution of a fraud scenario, the TAs [Threat Actors] proactively create an account within the SuperCard X platform. Once the victim has successfully installed the "Reader" application on their device (guided by the TAs via phone), the TAs communicate the pre-generated login credentials to the victim. This step is crucial as it establishes the link between the victim's infected device and the specific TA's "Tapper" instance, enabling the subsequent relay of the captured NFC data for fraudulent cash-out operations.
When the "Reader" captures and relays a victim's card data, the corresponding data is transmitted via the Command-and-Control infrastructure to the "Tapper" device that is going to use this message to emulate a virtual card, effectively deceiving point-of-sale (POS) terminals or Automated Teller Machine (ATM) into recognizing it as a legitimate physical card.
By leveraging Answer to Reset (ATR) messages, SuperCard X enables seamless, real-time relay attacks, allowing threat actors to bypass physical proximity constraints and carry out fraudulent transactions.
The "Reader" application contains an embedded file that stores multiple ATR messages. These messages are typically used to initiate and negotiate communication parameters between a smart card and an NFC reader and can be reused to facilitate card emulation, which is beneficial to the attacker and enables fraudulent withdrawals.
Researchers concluded that,
As highlighted in this report, this new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC. This process allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers...Another noteworthy aspect of this malware is its low fingerprinting profile. The malicious application merely collects NFC data and transmits it over a communication channel, making it less detectable through conventional behavioral analysis. Moreover, according to internal insight and investigation, we started to observe that NFC capabilities aren't limited to SuperCard X. Still, it's starting to be explored and embedded even in more conventional malware families, such as Copybara or DroidBot.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion