A new malicious platform as a service (MAAS) called “Supercard X” emerged, targeting Android devices via NFC relay attacks which allow point of sale and ATM transactions using compromise payment card data.
Supercard X is linked to the actors of the Chinese threat and presents similarities of code with the Open Source NFCGATE project and its high malicious bag, Ngate, which has facilitated attacks in Europe since last year.
The malicious platform as a service is promoted via telegram channels which also offer direct support to “customers”.
Supercard X was discovered by the mobile security company Go nugWho reports attacks using this Android malware in Italy. These attacks involved several samples with subtle differences, indicating that affiliates are offered the possibility of personalized versions adapted to regional or other needs.
How Supercard X attacks take place
The attack begins with the victim receiving a false SMS or a WhatsApp message imitating their bank, saying that they must call a number to solve the problems caused by a suspicious transaction.
The call is answered by a crook pretending to be banking support, which uses social engineering to encourage the victim to “confirm” their card number and spindle. They then try to convince the user to delete spending limits via their banking application.
Finally, threat actors are suitable for users to install a malicious application (reader) disguised as a safety or verification tool which contains the malicious software Supercard X.
During installation, the Reader application only requires minimum authorizations, mainly accessing the NFC module, which is sufficient to carry out data theft.
The crook orders the victim to operate his payment card on their phone to check their cards, allowing malware to read data from the card of the card and send it to the attackers.
The attackers receive this data on their Android device, which executes another application called Tapper, which emulates the victim’s card using stolen data.
Source: Cleafy
These “imitated” cards allow attackers to make contactless payments in stores and ATM withdrawals, although the limits of the amount apply. As these small transactions are instantaneous and seem legitimate for banks, they are more difficult to report and reverse.
Source: Cleafy
Evasive malware
Cleafy notes that Supercard X is not currently reported by antivirus engines on Virustotal and the absence of risky authorization requests and aggressive attack characteristics such as screen superposition guarantees that it remains outside the radar of heuristic scans.
The emulation of the card is based on ATR (response to reset), which makes the card legitimate to payment terminals and shows technical maturity and understanding of smart card protocols.
Another notable technical aspect is the use of Mutual TLS (MTL) for customer / server authentication based on certificates, securing C2 communications from interception and analysis by researchers or the application of laws.
Source: Cleafy
BleepingCompute contacted Google to comment on the Supercard X activity and a spokesperson sent the declaration below.
“Depending on our current detection, no application containing this malware is on Google Play. Android users are automatically protected by Google Play Protect, which is by default on Android devices with Google Play Services. Google Play Protect can warn users or block known applications to present malware, even when these applications come from sources outside the game.” – a google spokesperson
