SuperCard X: The Malware That Turns Your Smartphone into a Rogue Bank Card
This new malware-as-a-service uses NFC technology to steal and exploit your cards in stores, presenting a threat that is already active in Europe and is set to become global.
The New Malware Threat: SuperCard X
Hackers have always favored using malware to steal your credit card details. Now, a new malware-as-a-service platform called SuperCard X has made this process incredibly easy, enabling hackers to use stolen cards in stores and ATMs in person.
How Does SuperCard X Work?
Identified by mobile security firm Cleafy, SuperCard X shares many features with the NGate malware. It also utilizes contactless cards to commit fraud by taking over the NFC capabilities of a vulnerable device. With your credit card details, hackers behind this campaign make small transactions and ATM withdrawals to stay under the radar and avoid detection as fraudulent.
How to Avoid Becoming a Victim?
Like other malware attacks, it starts with a victim receiving a text or WhatsApp message disguised as a communication from their bank. This phishing message claims they need to call a number to address issues with their account due to a suspicious transaction.
The hackers pose as bank support on the call and use social engineering to trick potential victims into “confirming” their card number and PIN. They then attempt to persuade the victim to remove spending limits through their banking app, definitely a red flag as no bank would ever ask to do such a thing over the phone.
To access their credit cards, hackers convince victims to install a malicious app called Reader, disguised as a security or verification tool. As you might guess, it contains the malware SuperCard X. Unlike other malicious apps in the past, the Reader app doesn’t request numerous unnecessary permissions but only a few crucial ones, primarily access to the Android device’s NFC module.
How to Protect Yourself?
Fortunately, according to the Cleafy report, SuperCard X is currently being used by hackers and fraudsters only in Italy. However, as it is a malware-as-a-service offering bought on the dark web, it could easily spread to other countries and continents at any time. Here are some tips to protect yourself from SuperCard X and other Android malwares.
Top 5 Tips
Never install apps outside of the Play Store – Avoid APKs from unknown sources. The Play Store has security filters — while not perfect, they provide a first line of defense.Check app permissions – An app asking for message access? Run. Only grant permissions that are strictly necessary.Beware of suspicious messages (SMS, WhatsApp, emails) – Never click on a link from a message claiming to be from your bank or an official service. If in doubt, contact the institution directly through their official channels.Use a reputable mobile antivirus – Solutions like Bitdefender, Avast, or Kaspersky can detect suspicious behavior and block malicious apps before they can cause harm.Enable two-factor authentication on all your accounts – Even if your credentials are compromised, two-factor authentication (2FA) adds a crucial extra layer of protection for your sensitive data.