Particularly dangerous Android malware appears that can steal bank card information

Imagine you receive a text message that appears to be from your bank, alerting you to a “suspicious transaction” and asking you to call the helpline immediately. Out of caution, you do so. A calm, convincing voice on the other end of the line says, “Don’t worry, we’ll walk you through it step by step.”

Within minutes, you’ve unwittingly fallen into the cybercriminal’s trap of installing malware, providing your PIN, removing transaction limits, and, on demand, allowing your account data to be wiped clean. All under seemingly reasonable trust.

That is SuperCard X – a new generation malware variant, warned by experts from security company Cleafy (Italy) as “almost invisible, extremely sophisticated and effective”.

This malware is part of the “malware-as-a-service” (MaaS) model, developed by Chinese-speaking hacker groups.

SuperCard X exploits Android devices and uses NFC relay attack techniques to perform theft, steal card information and even withdraw money without you even knowing what's happening.

How does SuperCard X malware work?

What makes SuperCard X particularly dangerous is its highly sophisticated multi-layered attack capabilities. It all starts with a fake text message, possibly an SMS, that says your bank account has been compromised.

Next comes the stage where the scammer calls you directly, using a polite and trustworthy voice to guide you. Once enough trust has been built, they begin the manipulation, asking you to provide your PIN, remove the spending limit on your card, and install a malicious app disguised as “enhanced security.”

The final blow is a seemingly harmless but deadly trick: they ask you to tap your bank card on your phone “just to verify”. But in reality, the malicious app will quietly read the data via NFC, then transmit it to a card-cloning device controlled by the attacker. With the clone in hand, they can easily withdraw money contactlessly at ATMs, leaving almost no trace.

This scam campaign has been recorded with victims in several countries such as Italy, the US, etc. related to cybercrime rings linked to China.

Previously, experts from Slovakia-based cybersecurity company ESET also discovered Android malware exploiting NFC technology to attack users of three major banks in the Czech Republic.

The human factor is key in the fight against malware

What makes SuperCard X so dangerous isn't just the sophisticated malware, but the human element.

According to Randolph Barr, Chief Information Security Officer at US security company Cequence, most attacks today are still clearly geographical, with signs that they are targeting a specific area.

“If this threat is widespread, it is largely due to users being manipulated by social engineering attacks, being convinced to turn off built-in protection mechanisms, that is a worrying warning sign,” he stressed.

Another potential risk comes from the platform itself. Barr said that the percentage of Android users is particularly high in Asia, which could make the region more vulnerable to attacks. That’s because in places where sideloading apps is common, the security barrier is inherently lower.

Android is appealing for its flexibility, but it also opens the door to sophisticated scams like SuperCard X. Meanwhile, the iOS ecosystem with its strict limits, especially on NFC access, is better protecting users.

“While sometimes criticized as being too restrictive, from a security perspective these restrictions are actually a valuable layer of protection,” said security expert Barr.

While malware is getting smarter, social engineering attacks are still the same old tricks. “Android users need to be better at recognizing the signs of fraud, and sometimes just stopping to verify the legitimacy of a request is enough to avoid risk,” Barr warned.