A SOPHISTICATED new scam attack that allows cyber thieves to instantly access the money of victims has been uncovered by experts.
The devastating scam is pulled off when targets “tap” their payment cards on their infected Android phones.
2
It’s been dubbed “SuperCard X” and appears to be linked to Chinese-speaking threat actors, according to security firm Cleafy.
The ruse begins like many others, with individuals receiving a fake text or WhatsApp message claiming to be from their bank.
These messages say there has been a suspicious transaction on their account and that they need to call a number to resolve it.
Fraudsters pose as bank support staff and trick victims into revealing their card number, PIN and removing spending limits within their banking app.
But matters take a different turn next when the scammer tells them to install an app that’s meant to be a security or verification tool.
Instead, it hides the SuperCard X malware.
The cyber crook finally urges the person to tap their payment card on their phone to verify it.
However, this doesn’t protect their account – it allows the malware to read the card chip data, which is instantly sent off to the fraudster.
“As highlighted in this report, this new threat stands out from previous ones not so much due to the sophistication of the malware itself, but rather in terms of the fraud mechanism that relies on a novel technique associated with the NFC,” Cleafy says.
“This process allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers.”
Google – which runs Android – told BleepingComputer that “no apps containing this malware are found on Google Play” based on their current detection.
“Android users are automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services,” a rep said.
“Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
2
How to spot a dodgy app
Detecting a malicious app before you hit the ‘Download’ button is easy when you know the signs.
Follow this eight-point checklist when you’re downloading an app you’re unsure about:
- Check the reviews – be wary of both complaints and uniformly positive reviews by fake accounts.
- Look out for grammar mistakes – legitimate app developers won’t have typos or errors in their app descriptions.
- Check the number of downloads – avoid apps with only several thousand downloads, as it could be fake.
- Research the developer – do they have a good reputation? Or, are totally fake?
- Check the release date – a recent release date paired with a high number of downloads is usually bad news.
- Review the permission agreement – this agreement gives permission for the app to take bits of your data, and fake apps often ask for additional data that is not necessary.
- Check the update frequency – an app that is updated too frequently is usually indicative of security vulnerabilities.
- Check the icon – look closely, and don’t be deceived by distorted, lower-quality versions the icons from legitimate apps.
All of this information will available in both Apple’s App Store and the Google Play Store.
