Chinese cybercriminals are now stealing your credit card information without ever touching your wallet, using a sophisticated NFC malware called SuperCard X that turns Android phones into remote theft devices.
Key Takeaways
- SuperCard X is an undetectable Android malware that exploits NFC technology to steal credit card data remotely without physical access to cards or knowledge of PINs
- Attackers distribute the malware through fake bank messages via WhatsApp and SMS, tricking victims into installing a malicious “Reader” app
- The malware has been linked to Chinese-speaking cybercriminals and has already been used in targeted attacks in Italy
- Users can protect themselves by being cautious of suspicious texts, avoiding untrusted app installations, turning off NFC when not in use, and regularly monitoring bank accounts
The Digital Pickpocket You Never See Coming
A new breed of financial predator is targeting Android users through their phones’ NFC capabilities. SuperCard X, discovered by Italian security firm Cleafy, operates as a malware-as-a-service platform that allows criminals to intercept credit card data without physical access to the card. Unlike traditional card skimmers or data breaches, this malware exploits the convenience of tap-to-pay technology to steal your financial information right through your phone. The attack begins with victims receiving what appears to be a legitimate message from their bank about suspicious transactions.
“SuperCard X is a newly identified malware-as-a-service (MaaS) platform that targets Android handsets using an advanced NFC relay technique,” said Cleafy.
The sophistication of SuperCard X should alarm anyone with an Android device. The malware doesn’t rely on the typical methods of credential theft or screen overlays that users might recognize as suspicious. Instead, it patiently waits for users to tap their physical credit cards against their phones, at which point it captures the card data and transmits it to attackers. What makes this attack particularly dangerous is its ability to fly under the radar – it doesn’t request suspicious permissions that might trigger security warnings.
⚠️ Hold your phone near your card… and they drain your bank account.
A new Android malware-as-a-service, SuperCard X, is targeting Italians with NFC relay attacks—letting cybercriminals remotely steal card data and pull off ATM & PoS fraud.
👉 Learn how it works:… pic.twitter.com/0vA9Tw1yRm
— The Hacker News (@TheHackersNews) April 21, 2025
The Social Engineering Behind the Attack
The infection process begins with a carefully crafted deception. Victims receive a message supposedly from their bank, either through WhatsApp or SMS, warning about suspicious activity on their account. The message urges them to install what appears to be a security app called “Reader” to verify their identity and protect their account. Once installed, this malicious app contains the SuperCard X malware, which waits silently for the opportunity to steal card information when users tap their cards against their phones.
This combination of social engineering and technical exploitation makes SuperCard X particularly effective. By playing on fears about financial security, attackers create a sense of urgency that bypasses normal caution. The communication appears legitimate, often mimicking the formatting and language of real bank communications. When users tap their cards against their phones as instructed, thinking they’re verifying their identity, they’re actually transmitting their card data directly to criminals who can immediately use it for fraudulent transactions.
SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks https://t.co/pS3n5dHvge
— Nicolas Krassas (@Dinosn) April 22, 2025
Chinese Origins and Sophisticated Infrastructure
Security researchers have traced SuperCard X to Chinese-speaking cybercriminals. The malware shares code similarities with previously identified threats NFCGate and NGate, suggesting an evolution of attack methods by the same group. This isn’t just an isolated scam but part of a sophisticated criminal enterprise operating as a service model, making the attack vectors widely available to other criminals who can customize the malware for their specific targets.
“According to Cleafy, SuperCard X is presently undetectable by malware scanners on VirusTotal,” said Cleafy
The technical architecture of SuperCard X demonstrates significant expertise. The malware uses mutual TLS (mTLS) encryption to secure communications with its command-and-control infrastructure, making it difficult for security researchers to intercept and analyze its traffic. Different variants of the Reader malware have been identified, indicating customized versions for specific campaigns. While currently focused on targets in Italy, the scalable nature of this malware-as-a-service model means it can rapidly expand to other regions, including the United States.
Protecting Your Financial Security
In the face of this sophisticated threat, Android users need to take proactive steps to protect their financial information. First and foremost, be highly suspicious of any unexpected communication from banks, especially those urging immediate action or app installations. Legitimate banks rarely ask customers to install new apps through text messages or WhatsApp. When in doubt, contact your bank directly through official channels you’ve previously verified. Never install apps from unknown sources or directly from links in messages.
Disable NFC functionality on your phone when you’re not actively using it for legitimate payments. This simple step creates a physical barrier that prevents the malware from accessing card data even if it somehow gets installed on your device. Regular monitoring of bank statements and credit card transactions is essential for catching unauthorized activities early. Consider setting up automatic alerts for all transactions, which can provide immediate notification if your card is used fraudulently.
President Trump’s administration has previously highlighted the importance of cybersecurity awareness in protecting American consumers from foreign threats. As this Chinese-linked malware demonstrates, our financial security increasingly depends on our digital vigilance. By staying informed about these emerging threats and implementing basic security practices, we can deny these foreign criminals access to our hard-earned money while protecting our financial independence.
