Cybersecurity researchers at Cleafy have uncovered a sophisticated new threat to mobile payment security: SuperCard X, a Malware-as-a-Service (MaaS) platform specifically designed to execute relay attacks on Android devices through NFC interfaces. This advanced malware enables criminals to conduct unauthorized transactions at point-of-sale terminals and ATMs using compromised banking card data.
Technical Architecture and Origins of SuperCard X
The malware platform, reportedly developed by Chinese threat actors, builds upon the NFCGate open-source project and its malicious variant NGate. SuperCard X represents a significant evolution in payment fraud techniques, transforming legitimate NFC debugging tools originally developed at the Technical University of Darmstadt in 2015 into sophisticated attack vectors for financial crime.
Attack Methodology and Social Engineering Tactics
The attack vector initiates through sophisticated social engineering, utilizing phishing messages via SMS or WhatsApp that impersonate banking institutions. Victims are manipulated into installing a malicious “Reader” application, purportedly for security purposes. Once installed, the malware gains access to the device’s NFC module, enabling attackers to capture banking card data during routine contactless transactions.
Advanced Technical Features and Evasion Capabilities
SuperCard X implements several sophisticated security evasion mechanisms:
– Mutual TLS (mTLS) encryption for command-and-control communications
– ATR-based card emulation technology for transaction legitimacy
– Advanced anti-detection features evading current antivirus solutions
These capabilities make the malware particularly challenging to detect and mitigate.
Impact Assessment and Global Reach
The threat landscape analysis reveals concerning statistics: over 22,000 Android devices have been compromised in Russia alone, with financial losses approaching 200 million rubles in early 2025. The malware’s presence in Italy, featuring region-specific variants, indicates its potential for global expansion and adaptability to different banking systems.
Security experts emphasize the critical importance of maintaining strict application installation hygiene and verifying all banking-related communications. While Google Play Store remains free of SuperCard X-related applications, users should rely on Google Play Protect and official app sources exclusively. Financial institutions are advised to implement additional transaction verification mechanisms and enhance their NFC security protocols to counter this emerging threat. Regular security awareness training for customers remains crucial in preventing successful social engineering attacks.
