An investigation of the cybersecurity firm Cleafy has identified a new and dangerous malware called Supercard x. It is a Maas (Acronym for malware as a service) aimed at devices Android that, through retransmission attacks NFC, get data from bank cards with which you can later make transactions at points of sale and get money at ATMs.
The NFC module is a chip present on mobile devices that allows Short -range wireless communication And that, among other uses, has the Make contactless payments. A retransmission attack intercept and retransmit the communication of the mobile chipallowing you to do with the data of the cards used.
Supercard X is linked to Malicious Chinese actors and shows similarities with another already known malware, Ngateused in attacks in Europe since last year. Cleafy has detected Supercard X attacks in Italy. The platform is promoted through channels of Telegramwhere direct support is also offered to ‘clients’.
The cybersecurity company has observed in its research multiple variants of malwareindicating that those who hire Supercard X can request Personalized versionsadapted to regional or specific needs, to the suppliers of this malware service.
How Supercard X attack works
The attack begins with the sending of a SMS or message of WhatsApp false, that Supplant to a banking entity and requests calling a number to solve an alleged suspicious transaction.
If the victim falls into the deception and calls, it is Attended by a scammer that, passing by a bank telephone operator, uses social engineering techniques to get your card number and pin and convinces it to eliminate expenditure limits through its bank application.
Subsequently, the victim is persuaded to install a malicious application called Readerpresented as a safety or verification tool, which contains the supercard x malware.
The Reader app requests Minimum permissionsmainly access to the NFC module, which are enough to steal card data. The scammer instructs the victim to bring his payment card closer to the phonewhich allows malware to read the chip data and send them to the attackers.
The data is received on an Android device that runs another application called Tapperthat emulates the victim’s card using stolen information. These ’emulated’ cards allow contactless payments in stores and automatic tours, although with quantity limits. Being small and immediate transactions, they are more difficult to detect and reverse by banks.
An undetectable malware for the main antivirus
Cleafy points out that Supercard X currently It is not detected by any antivirus engine in Virustotalservice that scan files using 60 different antivirus. In addition, not requesting permits considered risk or using aggressive techniques such as screening, Evade heuristic scan.
Card emulation is based on At (Answer to Reset, a system that identifies a bank card with chip in front of the reading device when communication between them is established), which allows payment terminals to receive the card as legitimate.
Another relevant technical aspect of Supercard X is the use of the security protocol mutual tls (mtls) For customer/server authentication through certificates, which protects C2 communications from interceptions or analysis by investigators or security forces.