Security firm Cleafy Threat Intelligence has discovered a new malware campaign aimed at stealing money from Android users. Dubbed SuperCard X, it uses sophisticated technology to allow attackers to make payments and withdraw cash from ATMs by intercepting and relaying NFC data from compromised devices.
Image source: Bleping Computer
The SuperCard X campaign uses social engineering to distribute malware. They trick victims into installing malware and then “connect” their own payment cards to infected devices. The attackers offer their services as a “malware-as-a-service” (MaaS) and promote them through Telegram channels.
The report says that the malware code distributed as part of the SuperCard X campaign has significant similarities with the code of the NGate virus discovered last year by ESET. It notes that the new campaign, allegedly organized by Chinese hackers, creates significant financial risks that go beyond the usual targets of such attacks, directly affecting bank card issuers and platforms that support transactions.
An innovative combination of malware and a method of relaying data transmitted via NFC allows attackers to perform cash withdrawal transactions using debit and credit cards. The technique used demonstrates high efficiency, especially for contactless cash withdrawals from ATMs. Experts managed to identify several attacks of this type in Europe. Several samples of malware were also found, which indicates the ability of attackers to adapt the virus taking into account regional and other features of the intended area of its use.
Image source: Cleafy
The attack begins with the victim receiving an SMS or WhatsApp message, allegedly from the bank of which they are a client. The message states that they need to call back at a specified number to resolve a problem caused by a suspicious transaction. The call is answered by an attacker posing as a representative of the bank’s customer service and, using social engineering techniques, forces the victim to “confirm” their card number and PIN code.
The victim is then convinced to remove spending restrictions via the banking app. The attacker then persuades them to install a malicious app disguised as a payment security tool that contains the SuperCard X malware. Once installed, the app requests minimal permissions — mainly access to the NFC module, which is enough to steal data.
The fraudster asks the victim to place the card on the smartphone for verification, which allows the malware to read the data from the card chip, after which it is sent to the attackers. Having received this data, the attackers launch an application on their Android device to emulate the victim’s card and steal funds from it. Card emulation allows contactless payments in stores, as well as cash withdrawals from ATMs. Since such transactions are usually made for small amounts, banks do not consider them suspicious and do not block them.
The report emphasizes that SuperCard X malware is currently not recognized by any antivirus system on VirusTotal. In addition, the lack of a need for a large number of permissions on the victim’s devices and the absence of obviously suspicious features such as screen overlays allows the malware to evade the attention of antivirus software. Emulation of the victim’s card also appears legitimate to payment services, which indicates a high level of training of the attackers, including a deep understanding of how smart card protocols work.