Pickpocketing is moving to the next level. A new Android malware is using NFC tech to rip off your bank card while you’re on the phone with a scammer.
Imagine you got a text from what looked like your bank warning of a “suspicious transaction" and urging you to call support. Out of caution, you call, and a calm, reassuring voice answers: “Don’t worry, we’ll walk you through this.”
But a couple of minutes later, you have already unknowingly installed malware, handed over your PIN, removed spending limits on the debit card, and, at the scammer’s request, given full permission to wipe your card.
Sounds like a nightmare? Welcome to SuperCard X, the newest malware mutation on the block. As described by security firm Cleafy’s researchers, it’s sleek, nearly invisible, and devastatingly effective.
Distributed via malware-as-a-service (MaaS) and developed by Chinese-speaking actors, this Android-born beast uses NFC relay attacks to skim, steal, and cash out from your bank cards in real time.
Human factor is key
SuperCard X’s genius is in its multi-stage deception. First comes the smishing with fake texts or WhatsApp messages claiming your account's been compromised.
Then comes the TOAD (Telephone-Oriented Attack Delivery), where the scammer calls and builds trust. Once they’ve reeled you in, they walk you through revealing your PIN code, disabling card limits, and installing the malware app under the guise of security software.
Then comes the killer move: they convince you to tap your card on your phone “just to verify it.” But the app silently pulls your card’s info via NFC and sends it to a clone device, which the attackers manage. Then, they can cash out using contactless withdrawals at ATMs.
This particular campaign has been traced to Italian victims. Similar NFC relay frauds have popped up in the US, with arrests linked to Chinese fraud rings. ESET researchers have previously identified Android malware exploiting NFC. The campaign targeted clients of three Czech banks.
No legitimate company will ask you to remove security settings
What makes SuperCard X so effective isn’t just the malware, it’s the human factor. According to Randolph Barr, Chief Information Security Officer at cybersecurity firm Cequence, most of these attacks are still geo-specific, with early signs pointing to a regional focus.
“If this threat expands, it will likely be due to users falling victim to social engineering and being convinced to disable built-in security protections – a clear red flag,” he explains.
Barr also flagged the regional risk. “There’s a particularly high concentration of Android users across Asia,” he said. “Which may increase the risk in that region.”
Translation: the wider this scam goes, the more likely it hits places where Android dominates, especially where sideloading apps is common practice.
And while Android’s flexibility is part of its charm, it’s also what opens the door for scams like SuperCard X. As Barr explains:
“In contrast, iOS devices implement tighter restrictions, particularly around NFC access. While some consider that a limitation, from a security standpoint, it's a valuable control.”
The malware may be sophisticated, but the red flags are still old-school. As Barr puts it: “Android users should become more familiar with social engineering red flags – sometimes it's as simple as validating the legitimacy of a request before acting on it.”
If a random stranger tells you to “install this security app” and “disable your card limit,” just remember: real security doesn’t ask you to disarm yourself first.
“No legitimate company should ever ask you to lower or remove the security settings on your device,” he concludes.
Google's response
In response to growing concerns about SuperCard X malware campaign, a Google spokesperson emphasized that “based on current detection, no apps containing this malware are found on Google Play.”
They reassured users that Android devices are equipped with multiple layers of protection, notably Google Play Protect, which is “on by default on Android devices with Google Play Services.”
The spokesperson added that “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Article updated on April 23th with Google's comment.
Your email address will not be published. Required fields are markedmarked