Full Report
A new payment card scam uses malware disguised as a security tool or verification utility to capture card details and access funds.
Analysis Summary
# Tool/Technique: SuperCard X
## Overview
SuperCard X is a previously undocumented Android malware utilized in a sophisticated scam targeting financial institution customers. It combines social engineering via text messages, phone calls, and the exploitation of Near-Field Communication (NFC) capabilities on mobile devices to steal payment card details (debit/credit cards). It appears to be offered as Malware-as-a-Service (MaaS).
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Social engineering integration, NFC data capture of payment cards, delivered via phishing links. Appears to be part of a MaaS operation.
- First Seen: Recent, tracked by Cleafy in Italy.
## MITRE ATT&CK Mapping
*Note: Direct specific mappings were not provided in the text, but the described actions suggest the following general tactics/techniques related to initial access and collection.*
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Potentially where the installation/execution of the malware might occur, or T1204 - User Execution)
- T1484 - Data Encrypted for Impact (Not directly applicable, but related to how data is exfiltrated/used)
- T1005 - Data from Local System (Capturing card data from local NFC processes)
## Functionality
### Core Capabilities
- Facilitating remote data capture of physical payment cards via NFC interaction with an infected device.
- Stealing fund access instantly, potentially outside traditional banking fraud channels.
### Advanced Features
- Delivery via social engineering/text message impersonating bank fraud alerts.
- Instruction of victims to disable spending limits or provide PINs.
- Operation as a Malware-as-a-Service (MaaS), allowing different affiliates to run local campaigns.
- Agnostic targeting: The operation targets the card itself, regardless of the issuing financial institution.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Disguised as security tools or verification utilities]
- Registry Keys: [Not provided in text]
- Network Indicators: [Not explicitly detailed, related C2 infrastructure is unknown]
- Behavioral Indicators:
- Execution following user installation via a link received via SMS.
- Initiation of NFC communication when an infected phone is brought near a payment card.
- Attempts to elicit sensitive data (PINs) during the preceding social engineering phase.
## Associated Threat Actors
- "Chinese-speaking" hackers (Operating the MaaS backend).
- Affiliates operating locally (e.g., in Italy).
- Similar schemes noted in Czech Republic (related malware NGate).
## Detection Methods
- Signature-based detection: Likely requires signatures for the SuperCard X payload (once identified).
- Behavioral detection: Monitoring unusual requests for NFC permissions/activity following application installation originating from SMS links. Monitoring unusual fund transfers immediately post-NFC interaction.
- YARA rules: [Not provided in text]
## Mitigation Strategies
- Prevention measures: Educate users about SMS/voice phishing scams related to bank security alerts.
- Hardening recommendations: Users should be highly cautious about installing applications from links received via text message, even if they appear to be security tools. Disable NFC functionality when not actively in use for contactless payments, if possible.
## Related Tools/Techniques
- NGate: Malware previously reported in 2024 by ESET in Czech Republic, showing overlap with SuperCard X.
- Tap-to-pay scams: General category of fraud involving NFC technology and phishing aids.