Hackers love using malware to go after your credit card details but a new malware-as-a-service platform makes it incredibly easy for them to use these stolen cards in person at stores and even at ATMs.
As reported by BleepingComputer, SuperCard X is the platform in question and it’s currently being used to target the best Android phones via NFC relay attacks. With your credit card details in hand, the hackers behind this campaign then use them to make small transactions and withdrawals at ATMs to avoid having them flagged as fraudulent.
Discovered by the mobile security firm Cleafy, SuperCardX bears a lot of similarities to the NGate malware I covered last summer. It too uses contactless cards to commit fraud by taking over a vulnerable device’s NFC capabilities.
Here’s everything you need to know about this new Android malware threat, how to avoid falling victim to it and some tips and tricks to keep your phone malware-free and safe from hackers.
From phishing to social engineering to fraud
Just like with other malware attacks, this one begins with a victim receiving a text message or a WhatsApp message impersonating their bank. This phishing message claims that they need to call a number to resolve issues with their account caused by a suspicious transaction.
The hackers behind this campaign pose as bank support on the other end of the call and they use social engineering to trick potential victims into “confirming” their card number and PIN. From there, they then try to convince the victim to remove spending limits via their banking app which is definitely a red flag as no bank would try to do something like this over the phone.
To gain access to their credit cards, the hackers convince victims to install a malicious app called Reader that’s disguised as either a security or verification tool. As you may have guessed, it contains the SuperCard X malware.
After installation, the Reader app doesn’t request loads of unnecessary permissions like we’ve seen other malicious apps do in the past. Instead, it only asks for a few essential permissions with the main one being access to an Android device’s NFC module.
The app then tells victims to tap their payment cards to their phone and to verify them. This allows the malware to read a card’s chip data and send it back to the hackers behind this campaign. This data arrives on a hacker-controlled phone which runs another app called Tapper which is able to emulate a victim’s card using this stolen data.
The hackers then use these emulated cards to make contactless payments at stores and to withdraw small amounts of money from ATMs. Since all of these transactions are small and happen instantly, a victim’s bank likely won’t even flag them as fraudulent and reverse the charges.
How to stay safe from Android malware
The good news with this campaign is that according to Cleafy’s report, SuperCard X is currently only being used by hackers and scammers in Italy. However, since it is a malware-as-a-service offering purchased on the dark web, it could easily spread to other countries and continents any day now. As such, here are a few tips and tricks to stay safe from SuperCard X and other Android malware.
In this particular campaign, a random text from your bank is the kind of lure that you should know to avoid but can still fool some people due to the sense of urgency used in the message. Instead of responding to the message, you can always try looking up the phone number first. However, if the hackers or scammers spoofed your bank quite well, that number will be the same. In that case, it’s always a good idea to call your bank directly to verify something like this before responding.
Another big warning sign is when the hackers behind this campaign sent potential victims a URL for an app to download to their phone. No legitimate bank would ever ask you to do something like this and instead, they’d point you to their app’s listing page on the Google Play Store.
As for staying safe from Android malware, you want to make sure that Google Play Protect is enabled on your devices. This free, built-in security app checks all of the new apps you download as well as the existing ones on your phone or tablet for malware. For additional protection though, you might want to consider running one of the best Android antivirus apps alongside it.
Now that SuperCard X is being used in attacks in the wild, I wouldn’t be surprised if other hackers and scammers started using this new malware-as-a-service in attacks in the U.S. and other countries.
By practicing good cyber hygiene and staying up to date on the latest threats (by reading this and other security articles on Tom’s Guide), you’ll be prepared to recognize the warning signs before it’s too late.
