Full Report
A new malware campaign utilizing NFC-relay techniques has been identified carrying out unauthorized transactions through POS systems and ATMs
Analysis Summary
# Tool/Technique: SuperCard X
## Overview
SuperCard X is a sophisticated Android malware operating under a Malware-as-a-Service (MaaS) model, specifically designed to enable real-time, contactless ATM and Point-of-Sale (POS) fraud by exploiting Near-Field Communication (NFC) protocols.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Real-time NFC data interception, PIN elicitation, card limit removal, remote ATM cash-out enablement.
- First Seen: Information not explicitly provided in the text, but the discovery was recently announced.
## MITRE ATT&CK Mapping
The observed activities map primarily to impact and credential theft related to payment systems. Specific mappings based on actions described:
- **TA0008 - Lateral Movement** (Implied for operational spread, though focus is on compromise)
- **TA0006 - Credential Access**
- T1556 - Compromise Client Software Cryptographic Module (Relates to NFC/payment data handling)
- **TA0011 - Command and Control** (Implied by MaaS model)
- **TA0014 - Impact**
- T1458 - Service Interruption (Potential for ATM system disruption/fraud)
*(Note: Precise T-numbers for the novel NFC relay aspects might require deeper analysis, but the above capture the essence of payment fraud and data exfiltration.)*
## Functionality
### Core Capabilities
- **Social Engineering Delivery:** Deploys via smishing campaigns and fraudulent phone calls, tricking victims into installing the malicious app disguised as a security tool.
- **Real-time NFC Data Interception:** Captures payment card data transmitted via NFC when a physical card is tapped near the compromised Android device.
- **PIN Elicitation and Limit Removal:** Aims to extract the user's PIN and potentially disable or increase card spending limits to facilitate fraud.
- **Instant Fraudulent Cash-Outs:** Facilitates immediate unauthorized transactions at POS systems or ATMs using the stolen data.
### Advanced Features
- **Malware-as-a-Service (MaaS):** Operates as a service, suggesting a structured distribution and operation model.
- **NFC-Relay Technique Exploitation:** Specifically targets and exploits the underlying communication protocols of contactless banking features.
- **Low Antivirus Detection:** Designed to evade existing security solutions.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Malicious Android application package]
- Registry Keys: [Not provided, specific to Android filesystem/persistence]
- Network Indicators: [Not provided/Defanged]
- Behavioral Indicators: Unexpected permission requests related to NFC/communication; unusual background network activity related to data transmission.
## Associated Threat Actors
- Undisclosed actors operating the SuperCard X Malware-as-a-Service platform.
## Detection Methods
- Signature-based detection: Currently reportedly low, as the malware is new.
- Behavioral detection: Monitoring for unauthorized access to NFC hardware interfaces or unusual background processes after installation.
- YARA rules: [Not provided]
## Mitigation Strategies
- **User Education:** Warning users against responding to smishing attempts or unsolicited calls requesting installation of security applications.
- **Application Source Verification:** Only install apps from trusted sources (Official Play Store check/verification).
- **NFC Security Posture:** Be cautious when tapping payment cards near unknown or suspicious devices.
- **Endpoint Protection:** Employ advanced mobile security solutions capable of detecting novel malware behavior rather than relying solely on signatures.
## Related Tools/Techniques
- Other Android Banking Trojans (e.g., FluBot, Jabber Sting) that utilize smishing for initial access.
- NFC Relay Attacks generally.