Full Report
Malware detected previously in Italy has popped up in Russia, researchers said. Attackers use it to access devices near field communications (NFC) and steal payment card data.
Analysis Summary
# Tool/Technique: SuperCard
## Overview
SuperCard is a malicious variant of the legitimate Near Field Communication (NFC) relay program, NFCGate. It is designed to steal data from victims' NFC-enabled payment cards (Visa, Mastercard, American Express, UnionPay, JCB) by relaying data from compromised Android smartphones to attacker-controlled devices, enabling fraudulent ATM transactions or direct fund transfers. A key differentiator is its commercial distribution model as Malware-as-a-Service (MaaS).
## Technical Details
- Type: Malware (Data Stealer/Relay)
- Platform: Android
- Capabilities: NFC data relay, payment system identification, fraudulent transaction execution. In previous variants, it was used to carry out ATM transactions or transfer funds directly from bank accounts.
- First Seen: Spotted in Italy in April, deployed against Russian users in May (implied 2025 based on losses calculation).
## MITRE ATT&CK Mapping
This summary focuses on the observed capabilities related to data exfiltration and financial fraud:
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Implied if relayed data is sent back to C2)
- **TA0006 - Credential Access**
- **T1553 - Steal Application Access Token** (If payment session tokens are captured)
- **TA0001 - Initial Access**
- **T1213 - Drive-by Compromise** (If downloaded after being tricked via social engineering)
*(Note: Specific sub-techniques for NFC data capture are often mapped manually as direct NFC relay techniques are emerging.)*
## Functionality
### Core Capabilities
- Identifying the victim's payment system (Visa, Mastercard, Amex, UnionPay, JCB).
- Relaying NFC data between the victim's device and attacker-controlled hardware.
- Executing fraudulent activities, including ATM withdrawals or direct bank transfers using stolen card data.
### Advanced Features
- **Commercial Distribution (MaaS):** Sold via subscription plans on channels like Telegram, including Chinese-language ones.
- **Customer Support:** Offered with ongoing support, which is unique compared to previous NFCGate variants.
- **Target Scope:** Advertised as capable of targeting major banks in the U.S., Australia, and Europe.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: [Not specified in the article; distributed disguised as a legitimate app]
- Registry Keys: [Not specified in the article]
- Network Indicators: [Not specified in the article; activity confirmed via bank losses and infections]
- Behavioral Indicators: Unauthorized activity related to NFC data transmission, identification of payment infrastructure usage, and subsequent unauthorized financial transactions.
## Associated Threat Actors
- Chinese-speaking actors (reported by Cleafy for distribution).
- Unspecified actors conducting data-stealing attacks in Russia (first domestic reports by F6).
## Detection Methods
- Signature-based detection: [Not specified, but signature creation would target the specific SuperCard binary/package identifiers.]
- Behavioral detection: Monitoring for unusual or unauthorized NFC data relay activities or applications requesting excessive NFC permissions outside standard usage.
- YARA rules if available: [Not specified in the article]
## Mitigation Strategies
- Educating users on social engineering tactics used to trick them into downloading malware disguised as legitimate apps.
- Strict prerequisite checks for applications requesting NFC access, especially those masquerading as utility or payment tools.
- Monitoring and restricting outbound network activity associated with compromised devices that aligns with data relay or exfiltration associated with banking activity.
## Related Tools/Techniques
- **NFCGate:** The legitimate program that SuperCard is based upon.
- **Previous NFCGate variants:** Used regionally prior to the emergence of SuperCard, notably observed in Russia starting January (prior to Q1 2025 losses described).