A newly discovered Android malware-as-a-service (MaaS) platform, SuperCard X, is facilitating near-field communication (NFC) relay attacks. This development allows cybercriminals to execute fraudulent transactions at ATMs and point-of-sale (PoS) terminals.

Targeted Campaigns in Italy

The ongoing campaign primarily targets customers of banking institutions and card issuers in Italy. The goal is to compromise payment card data, according to an analysis by a fraud prevention firm. The service is reportedly being promoted on Telegram channels.

Multi-Stage Attack Strategy

SuperCard X employs a multi-layered approach involving social engineering tactics such as smishing and phone calls, alongside malicious app installations and NFC data interception. This combination makes the fraud highly effective.

  • Social Engineering: Victims are tricked into installing malicious apps through deceptive messages.
  • NFC Data Interception: The malware captures and relays NFC communications for unauthorized transactions.

Propagation via Fake Apps

The malware is distributed through three fraudulent apps: Verifica Carta, SuperCard X, and KingCard NFC. These apps are installed on victims' devices using social engineering techniques, such as fake SMS or WhatsApp messages that impersonate bank alerts.

Telephone-Oriented Attack Delivery (TOAD)

Threat actors use TOAD tactics to manipulate victims into installing the malware, posing as security software. They also extract victims' PINs and instruct them to remove card limits, facilitating easy fund withdrawal.

NFC Relay Technique

The core of this operation is an NFC relay technique that allows attackers to authorize PoS payments and ATM withdrawals fraudulently. Victims are asked to place their card near their mobile device, enabling the malware to capture and relay card details to an external server.

Reader and Tapper Apps

The malware uses a "Reader" app on victims' devices to capture NFC card data. A "Tapper" app on the threat actor's device receives this data, enabling unauthorized transactions. Communication between these apps uses HTTP for command-and-control (C2) operations, requiring attackers to log in.

Security Measures and Recommendations

Google is reportedly developing a new Android feature to prevent app installations from unknown sources and restrict access to accessibility services. Users are advised to review app descriptions, permissions, and reviews carefully before downloading. Keeping Google Play Protect enabled is also recommended to safeguard against emerging threats.

The link has been copied!