Android Users Warned About New NFC Card Theft Scam
Published:
A new and sophisticated Android malware named SuperCard X is making waves in the cybersecurity world — and not in a good way. This malware allows criminals to steal your credit or debit card information and use it for fraudulent purchases and ATM withdrawals, all without physically touching your card.
Disguised as a legitimate app, SuperCard X is part of a growing trend known as malware-as-a-service (MaaS). Criminals can buy access to this malware on platforms like Telegram, complete with customer support. The malware is mainly targeting Android users in Italy, but similar attacks could easily spread elsewhere.
How the Scam Works
The scam begins with a fake message — often an SMS or WhatsApp — pretending to be from your bank. It warns you of a suspicious transaction and asks you to call a phone number. On the other end of the line is not your bank, but a scammer trained to sound like one.
They use these calls to trick you into sharing sensitive card details and sometimes convince you to remove spending limits on your account.
Next comes the real danger: the scammer persuades you to download what looks like a security app. In reality, it’s a malicious app containing SuperCard X. This app asks for minimal permissions, mainly access to your phone’s NFC (Near Field Communication) feature. This makes it easy to overlook, but deadly effective.
Fig 1. A diagram of the SuperCard X scam (Source: Cleafy)
Once installed, the app asks you to tap your card to your phone to “verify” it. Instead, it secretly captures the data stored in your card’s chip. That data is then sent to a second app — called “Tapper” — installed on a criminal’s phone. This app emulates your card, allowing them to make contactless payments or ATM withdrawals as if they were you.
What makes SuperCard X especially concerning is how well it hides. It uses secure communication methods, like mutual TLS, to avoid detection. And because it doesn’t request obvious permissions or behave aggressively, traditional antivirus software often fails to catch it.
Staying Safe
Google has confirmed that no versions of SuperCard X are currently on the Google Play Store, and it encourages users to keep Play Protect turned on. The company is also reportedly working on new Android features to prevent apps from being installed during phone calls — a direct response to scams like this.
This type of fraud is more than just a technical trick. It’s a clever blend of social manipulation and modern technology, and it poses a serious threat to anyone using contactless payments.
To stay safe, never download apps from unknown sources, be skeptical of urgent messages about your finances, and don’t share sensitive info over the phone. Cybercriminals are evolving, and so should our defenses.
Sophia is a Senior Content Manager at Certo Software, showcasing her deep-rooted expertise as an accomplished writer in the tech industry. With a genuine passion for cybersecurity, Sophia is a trusted source of insight and information.