New Android Malware Lets Hackers Steal Your Card With A Tap

SuperCard X malware targets Android phones in Italy, using NFC relay and fake banking apps to instantly steal and misuse credit card data.

Cybersecurity researchers at Cleafy have uncovered a new Android malware called SuperCard X revealing how scammers can steal card information and perform immediate cash withdrawals through Android devices. The sophisticated scam exploits Near-Field Communication (NFC) technology which most people use daily without awareness of its potential risks.

The malware operates through a Malware-as-a-Service (MaaS) model which enables instant contactless fraud attacks through victims’ phones in Italy.

The wireless technology NFC enables devices to exchange information through short-range connections which typically span only a few centimeters. The technology enables contactless payments through simple card or phone taps at stores. But attackers are now using NFC to pull off something called a relay attack.

In a relay attack, scammers trick victims into installing a malicious app—SuperCard X—on their phone. Once installed, this app silently captures payment card data when the user taps their card against their phone, thinking it’s for a legit reason.

That data is then instantly sent to another device controlled by the scammers, who use it to make unauthorized purchases or ATM withdrawals somewhere else.

The newly discovered attack starts with a scam message which reaches users through SMS or WhatsApp to warn them about fake suspicious payments. The warning messages force victims to contact a phony bank support hotline. The scammers lead victims through multiple phone instructions which ultimately lead to the theft of their card information.

First, they convince the victim to reveal their card PIN, remove spending limits from their card, and download an app disguised as a bank security tool. This app hides the SuperCard X malware, which silently captures the victim’s card data via NFC when the user brings their physical card near the infected phone.

The attackers transmit the stolen data through an instant process to their second device. The attackers use this information to perform unauthorized contactless payments and ATM withdrawals. The attackers focus on the card itself instead of the bank, Cleafy researchers observed that this attack works regardless of the financial institution involved.

This method allows criminals to commit fraud in real time, making it harder for banks to detect or stop the activity before money is withdrawn or spent.

SuperCard X uses two apps: “Reader” to capture card data and “Tapper” to perform the fake transaction. Both apps connect through a central server run by the malware developers. According to Cleafy, the malware is based on previously known tools and shares similarities with NGate, another Android threat identified in 2024.

Because of its minimalist design, SuperCard X is currently hard for antivirus software to detect. “This creates a dual benefit for the fraudster: the rapid movement of stolen funds and the immediate usability of the fraudulent transaction,” the report warned.

Cleafy advises banks and payment companies to stay alert, as similar scams may be running in other countries.