A dangerous new Android malware called SuperCard X is letting hackers use your credit cards remotely without ever touching them, as cybercriminals exploit the very technology that makes tap-to-pay convenient.
Key Takeaways
- SuperCard X malware steals credit card data through Android phones’ NFC technology during contactless transactions, with victims tricked through fake banking alerts
- The sophisticated malware is currently undetectable by standard security tools and doesn’t require physical access to cards or knowledge of PINs
- Attacks begin with SMS or WhatsApp messages claiming to be from banks about suspicious transactions, leading victims to install malicious apps
- The Chinese-linked malware operation runs as a “Malware-as-a-Service” platform, making it widely available to cybercriminals
- Users can protect themselves by avoiding suspicious messages, turning off NFC when not in use, and regularly monitoring bank accounts
The Digital Pickpocket in Your Phone
SuperCard X represents a dangerous evolution in mobile payment scams, targeting Android users through sophisticated exploitation of Near Field Communication (NFC) technology. This malware, discovered by Italian security firm Cleafy, doesn’t rely on traditional methods like credential theft or screen overlays. Instead, it intercepts NFC data directly from compromised phones, allowing criminals to capture credit card information without physical access to the cards themselves. The operation has been linked to Chinese-speaking cybercriminals and shares code similarities with previous exploits called NFCGate and NGate, showing a pattern of evolving tactics.
“SuperCard X is a newly identified malware-as-a-service (MaaS) platform that targets Android handsets using an advanced NFC relay technique,” said Cleafy, cybersecurity research firm.
The attacks have been particularly prevalent in Italy, but the malware’s design as a service platform means it can be deployed worldwide. The most alarming aspect is its stealth – victims have no idea their card information has been compromised until unauthorized charges appear. Security researchers warn that SuperCard X operates without needing physical access to cards or knowledge of PINs, making traditional card security measures ineffective against this new threat.
⚠️ Hold your phone near your card… and they drain your bank account.
A new Android malware-as-a-service, SuperCard X, is targeting Italians with NFC relay attacks—letting cybercriminals remotely steal card data and pull off ATM & PoS fraud.
👉 Learn how it works:… pic.twitter.com/0vA9Tw1yRm
— The Hacker News (@TheHackersNews) April 21, 2025
How the Scam Works
The SuperCard X attack begins with social engineering. Victims receive urgent-looking messages through WhatsApp or SMS claiming to be from their bank about suspicious transactions. These messages create a sense of panic, prompting recipients to call the provided number where scammers pose as bank representatives. During this call, victims are persuaded to install what they believe is a legitimate banking security application called “Reader.” In reality, this is the malicious SuperCard X payload that will compromise their device.
Once installed, the malware doesn’t immediately raise suspicions. It requires minimal permissions compared to typical banking trojans and is currently undetectable by standard security tools like VirusTotal. After installation, the malware waits for the victim to tap their credit card against their phone, supposedly to verify their identity. This action allows SuperCard X to capture the card’s NFC data, which is then transmitted to the attackers using encrypted connections. Criminals can then use this stolen data with a companion app called “Tapper” to simulate the victim’s card for fraudulent transactions.
“According to Cleafy, SuperCard X is presently undetectable by malware scanners on VirusTotal,” said Cleafy, cybersecurity research firm.
The sophistication of this attack lies in its ability to bypass traditional security measures. Unlike other banking malware that focuses on stealing login credentials, SuperCard X targets the payment technology itself. This approach works against any credit card regardless of the issuing bank, making it a universal threat to Android users who make contactless payments. The malware operates as a service platform, allowing criminal organizations to launch customized campaigns against different regions or banking systems.
Protecting Yourself from NFC Exploitation
With SuperCard X representing a growing threat to mobile payment security, Android users must take proactive steps to protect their financial information. First and foremost, be highly suspicious of any message claiming to be from your bank regarding account security or suspicious transactions. Legitimate banks typically don’t contact customers through WhatsApp or request app installations during support calls. Always verify communications by contacting your bank directly through official channels listed on their website or your account statements.
Only install applications from trusted sources like the Google Play Store, and even then, verify the developer and read reviews before downloading. Google is currently developing new Android features to block app installations from unknown sources during calls and restrict accessibility settings, which should provide additional protection against these types of scams. Until then, consider disabling NFC functionality on your device when not actively making a payment to prevent unauthorized access to card data.
Regular monitoring of bank accounts for suspicious activity remains one of the most effective defenses. The sooner unauthorized transactions are identified, the better chance you have of recovering your funds. If you suspect your device has been compromised, immediately contact your bank to freeze your cards, change all financial passwords, and consider professional security services to remove the malware. The increasing sophistication of threats like SuperCard X demonstrates why constant vigilance and security awareness are now essential parts of using digital payment technology.
