Cleafy Threat Intelligence has discovered a new SuperCard X fraud campaign that targets Android users. Attackers use malware to steal payment card data via NFC, allowing them to make payments and withdraw cash from ATMs.
The malware is distributed via social engineering: the victim is sent an SMS or WhatsApp message purporting to be from the bank, asking them to call to resolve a “suspicious transaction”. Next, the fraudster, posing as a bank employee, asks for the card details and PIN. The victim is then prompted to install a “security app” which is actually malware.
SuperCard X asks for minimal permissions-mainly access to NFC. Once installed, the software reads data from the card attached to the smartphone and transmits it to the attackers. Those, in turn, run the card emulator on their Android device and make payments or withdraw funds. Because of the small transaction amounts, banks are not suspicious.
The campaign is probably of Chinese origin and is already registered in Europe. SuperCard X is not recognised by anti-viruses, which makes it particularly dangerous. The programme bears similarities to the NGate virus detected earlier and indicates a high level of technical expertise of the attackers.