Full Report
A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication (NFC) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to
Analysis Summary
# Tool/Technique: SuperCard X
## Overview
SuperCard X is a novel Android Malware-as-a-Service (MaaS) platform designed to facilitate Near-Field Communication (NFC) relay attacks for fraudulent cashouts, primarily targeting customers of banking institutions and card issuers in Italy. It combines social engineering, malicious app installation, and NFC data interception.
## Technical Details
- Type: Malware/MaaS Platform
- Platform: Android
- Capabilities: NFC data interception and relay, fraudulent PoS/ATM transaction authorization, C2 communication via HTTP/mTLS.
- First Seen: April 2025 (based on article date)
## MITRE ATT&CK Mapping
This operation leverages multiple techniques, primarily focusing on mobile compromise and interaction with physical infrastructure.
- **TA0001 - Initial Access**
- T14AB6 - Malicious Application
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1564.003 - Hide Artifacts: Hidden Files and Directories (Implied by stealthy operation)
- **TA0008 - Lateral Movement** (NFC relay suggests movement of data to an attacker-controlled device)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP for Reader/Tapper communication)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Infection Vector:** Propagation via social engineering (smishing/WhatsApp) leading to the installation of bogus apps (`Verifica Carta`, `SuperCard X`, `KingCard NFC`).
- **TOAD (Telephone-Oriented Attack Delivery):** Threat actors use phone calls to socially engineer victims into installing the app under the pretense of security software.
- **Credential Harvesting:** Actors persuade victims over the phone to provide or alter sensitive information, including PINs and increasing card limits.
- **NFC Data Capture (Reader):** The victim's installed malware acts as a "Reader" to stealthily capture NFC communications when the physical payment card is brought near the infected device.
### Advanced Features
- **NFC Relay Implementation:** The core feature, enabling the redirection of captured card data to the attacker's device ("Tapper").
- **Tapper Emulation:** The attacker's device ("Tapper") uses the stolen data to emulate the victim's card, successfully authorizing PoS payments and ATM withdrawals.
- **Secure C2 Communication:** Utilizes mutual TLS (mTLS) to secure communication between the malware components and the C2 infrastructure.
- **Affiliate Customization:** "Reader" malware artifacts show subtle differences in login screens, suggesting custom builds generated for affiliate actors.
- **Client Authentication:** Requires a login mechanism established via the SuperCard X platform to link the victim's infected device to the attacker's Tapper instance.
## Indicators of Compromise
- File Hashes: *Not specified in the context.*
- File Names:
- `Verifica Carta` (Package ID: `io.dxpay.remotenfc.supercard11`)
- `SuperCard X` (Package ID: `io.dxpay.remotenfc.supercard`)
- `KingCard NFC` (Package ID: `io.dxpay.remotenfc.supercard`)
- Registry Keys: *Not specified in the context.*
- Network Indicators:
- C2 communication occurs over HTTP between Reader and Tapper.
- mTLS is used for secure C2 communication (Specific servers/domains are not provided).
- Behavioral Indicators:
- Requests for high-level permissions, possibly Accessibility Services (implied by TOAD tactics).
- App behavior related to intercepting low-level NFC communication protocols.
- Communication between the infected app and an external C2 infrastructure using mTLS.
## Associated Threat Actors
- Chinese-speaking threat actor (developer/operator of the MaaS platform).
- Various affiliate actors utilizing the platform for localized campaigns (e.g., targeting Italy).
## Detection Methods
- Signature-based detection: Detection lookups against the known package IDs and package names.
- Behavioral detection: Monitoring for applications attempting to interact with the Android NFC stack or utilizing mTLS for C2 connections when not expected. Suspicious phone calls involving guidance to install security software or alter banking settings (TOAD).
- YARA rules: *Not specified in the context.*
## Mitigation Strategies
- **User Education:** Scrutinize app descriptions, permissions, and reviews meticulously before downloading any app, especially those linked from unsolicited SMS or WhatsApp messages.
- **Security Software:** Keep Google Play Protect enabled.
- **System Hardening:** Organizations should anticipate potential platform-level mitigations from Google (e.g., features blocking installation from unknown sources or restricting Accessibility Service grants unless absolutely necessary).
- **Contactless Security:** Be aware of potential NFC relay risks, although relaying requires the victim to physically bring the card close to the compromised phone during the attack phase.
## Related Tools/Techniques
- **NFC Relay Attacks:** Similar methodologies used by other mobile malware aiming to bypass proximity requirements for card transactions.
- **TOAD (Telephone-Oriented Attack Delivery):** Common in high-impact mobile banking malware campaigns (e.g., associated with FluBot or similar overlay/remote access trojans).
- **MaaS Platforms:** General trend where sophisticated fraud infrastructure is rented out to affiliates.