Hackers are now stealing your credit card data through your smartphone without needing your PIN or even physical access to your card, using a dangerous new malware called SuperCard X that bypasses Android security protections.
Key Takeaways
- SuperCard X is an undetectable malware targeting Android devices, allowing hackers to steal credit card data through NFC relay attacks when users tap their cards against infected phones
- The malware is distributed through fake bank messages via WhatsApp or SMS, tricking victims into installing a malicious app named “Reader”
- Once installed, the malware accesses NFC data without requiring physical card access or PIN knowledge, making unauthorized payments and ATM withdrawals
- Security experts link SuperCard X to Chinese-speaking cybercriminals, with active campaigns currently targeting Italian users
- To protect yourself, avoid suspicious texts/calls, only install apps from trusted sources, disable NFC when not needed, and monitor financial statements regularly
A New Breed of Digital Theft
SuperCard X represents a concerning evolution in mobile malware, operating as a malware-as-a-service (MaaS) platform specifically targeting Android devices. Unlike traditional phishing scams that steal login credentials, this sophisticated malware exploits Near Field Communication (NFC) technology to intercept contactless payment data. What makes this attack vector particularly dangerous is its ability to operate without physical access to the victim’s credit card or knowledge of their PIN, creating a seamless theft operation that victims rarely detect until fraudulent charges appear on their statements.
“SuperCard X is a newly identified malware-as-a-service (MaaS) platform that targets Android handsets using an advanced NFC relay technique,” said Cleafy
The attack starts when victims receive seemingly legitimate bank-related text messages or WhatsApp communications warning of suspicious transactions. These messages pressure targets into installing what they believe is a security application to verify their identity or protect their accounts. Instead, they unknowingly download the malicious “Reader” app containing the SuperCard X malware. Once installed, the malware waits patiently for the victim to use their phone’s NFC capabilities with their credit card, instantly capturing and transmitting the card data to cybercriminals.
⚠️ Hold your phone near your card… and they drain your bank account.
A new Android malware-as-a-service, SuperCard X, is targeting Italians with NFC relay attacks—letting cybercriminals remotely steal card data and pull off ATM & PoS fraud.
👉 Learn how it works:… pic.twitter.com/0vA9Tw1yRm
— The Hacker News (@TheHackersNews) April 21, 2025
Technical Sophistication and Stealth
What makes SuperCard X particularly concerning to security experts is its technical sophistication and ability to evade detection. The malware employs mutual TLS (mTLS) encryption when communicating with its command-and-control infrastructure, making network traffic analysis difficult. It also requires minimal permissions during installation, raising fewer red flags for users who might otherwise question suspicious permission requests. The attackers have created a two-part system where stolen card data is transmitted to a separate “Tapper” app on another Android device, allowing criminals to conduct transactions by simulating the victim’s card.
“According to Cleafy, SuperCard X is presently undetectable by malware scanners on VirusTotal,” said Cleafy
Italian cybersecurity firm Cleafy first identified SuperCard X and has linked it to Chinese-speaking cybercriminals. The malware shares code similarities with previous NFC exploitation tools like NFCGate and NGate, suggesting ongoing refinement of these attack techniques. Currently, the most active campaigns target Italian users, but security researchers warn this is likely just the beginning of a wider deployment. The malware’s scalability through its MaaS model means cybercriminals worldwide can easily purchase and deploy it against targets in any country.
Protecting Yourself from NFC Exploitation
As these attacks increase in sophistication, Americans must take proactive steps to protect their financial information. First and foremost, never install applications from links sent via text messages or WhatsApp, regardless of how urgent or official they appear. Only download apps from the official Google Play Store, which provides at least some level of malware screening. Additionally, disable your phone’s NFC capabilities when not actively making a payment to prevent background exploitation of the technology. Set up transaction alerts with your bank for immediate notification of any charges.
Google is reportedly developing enhanced Android security features to block app installations from unknown sources during active calls and restrict accessibility settings access, which could help prevent some social engineering tactics. However, these protections aren’t yet available on most devices. Regular monitoring of bank statements remains essential, as unauthorized transactions are often the first sign of compromise. Americans should also report any suspicious activity to their financial institutions immediately and consider freezing their credit cards if they suspect their information has been compromised.
The Biden administration’s weak stance on cybersecurity and failure to hold China accountable for harboring cybercriminals has created an environment where Americans’ financial security is increasingly at risk. As digital payment methods continue growing in popularity, consumers must remain vigilant against these evolving threats while demanding stronger action against foreign entities enabling cybercrime against American citizens.
