A newly discovered Android malware named SuperCard X is exploiting NFC technology and social engineering to empty victims’ bank accounts in a matter of minutes. Researchers warn the malware uses a combination of text scams, phone calls, and card cloning to carry out real-time financial theft.
Multi-Stage Attack Uses SMS, Social Engineering, and NFC Card Cloning
According to security firm Cleafy, the attack begins with a smishing message—often sent via SMS or WhatsApp—alerting the user to a fake “suspicious transaction” from their bank. Victims are then urged to call a phone number for support.
Once on the call, a scammer impersonating a bank employee calmly guides the victim through several steps:
- Installing a malicious app disguised as a security tool
- Revealing their PIN number
- Removing spending limits from their debit or credit card
Finally, the caller asks the victim to tap their physical card against the smartphone “for verification.” At this point, the malware silently captures card data through the phone’s NFC functionality and sends it to a device controlled by the attacker. Using this cloned data, the attacker can perform contactless withdrawals from ATMs.
Targeted Victims and Geolocation
The campaign has so far targeted users in Italy, with similar techniques seen in the US and Czech Republic in previous cases. These attacks are suspected to originate from Chinese-speaking threat actors, operating via malware-as-a-service (MaaS) platforms.
Researchers note that the malware’s effectiveness heavily relies on the human factor—victims are manipulated into disabling protections and granting full access to attackers.
Risk Higher in Android-Dominant Regions
Security experts highlight that regions with high Android usage, such as parts of Asia, may face a greater risk of such attacks.
“There’s a particularly high concentration of Android users across Asia, which may increase the risk in that region,” said Randolph Barr, CISO at Cequence.
Barr explained that Android’s openness, including sideloading and broader NFC access, can make it more vulnerable to such malware. In contrast, iOS devices impose stricter limitations on NFC functions, helping reduce this kind of threat.
Common Red Flags in SuperCard X Attacks
Experts emphasize that while the malware is technically advanced, the signs of fraud are still familiar. Key red flags include:
- Requests to install third-party security apps
- Prompts to disable card or device protections
- Unsolicited calls claiming urgent account issues
- Instructions to “verify” your card via tap or scan
“No legitimate company should ever ask you to lower or remove the security settings on your device,” Barr warned.
Google’s Official Response
A spokesperson from Google responded to concerns about SuperCard X, confirming that the malware has not been found on Google Play. They noted that Android devices come with built-in protections, including:
- Google Play Protect, which runs by default
- The ability to detect and block harmful apps even from outside sources
“Google Play Protect can warn users or block apps known to exhibit malicious behavior,” the company said.
