SuperCard X and NGate: The new malware that clones credit cards via NFC on Android and how to protect yourself

  • SuperCard X and NGate malware allows NFC credit card cloning on Android.
  • The attacks begin with social engineering and fake applications requested by cybercriminals.
  • Both malware transmit data in real time and bypass most current antivirus programs.
Joaquin Romero

9 minutes

Learn about malware that clones cards using NFC technology

In recent months, the Android universe has been shaken by the emergence of two new malwares that clone credit cards and are capable of emptying bank accounts by taking advantage of the NFC technologyThis threat, orchestrated mainly by two malware families named NGate y SuperCard X, is affecting both ordinary users and financial institutions, and has put cybersecurity experts around the world on alert. If you use your phone for contactless payments or have NFC enabled, it's crucial that you understand how these threats operate and what measures to take to protect yourself.

In this article, we tell you in a clear, exhaustive and updated way everything you need to know about the New malware that clones credit cards via NFC on Android devicesHere you'll discover how cybercriminals operate, the latest social engineering techniques, how they bypass antivirus software, and, of course, what steps you can take to avoid becoming the next victim.

What's happening? The starting point of the threat

Over the past year, several security firms such as ESET and Cleafy have uncovered international operations targeting Android users, taking advantage of the rise of contactless payments. The purpose of these operations is to: Stealing bank card data and using it to make purchases or withdraw money at ATMs and point-of-sale (POS) terminals, all without needing to physically have the original card or know the PIN in most cases.

PlayPraetor, the malware that mimics the Google Play Store
Related article:
PlayPraetor: The malware that impersonates Google Play and steals data

The protagonists of this massive attack are two malicious programs in particular: NGate y SuperCard XBoth malware have revolutionized the way criminals clone credit cards, using the Near Field Communication (NFC) technology that most modern cell phones include.

SuperCard X and NGate, the malware that clone cards using NFC technology

What is NGate and how do they clone cards?

NGate appeared in Europe following an investigation by the security firm ESET. It is A malicious app that can transmit bank card data in real time. from the victim's phone to an attacker's device. The attacker, using a modified (rooted) Android phone, can emulate the victim's card and carry out transactions at ATMs and POS terminals.

What's new about NGate is the misuse of an academic tool called NFCGate, designed by students in Germany to study and analyze NFC traffic. Cybercriminals have adapted this project to intercept and retransmit data remotely. That is, When someone brings their card close to the infected phone, the data is instantly transferred to the criminal, even if they are hundreds of miles away..

The infection usually begins with a phishing message (SMS, WhatsApp, or email), posing as the victim's bank, warning of a supposed problem with their account and suggesting they download an app to fix it. Unsuspecting victims install the app outside of Google Play—NGate has never been available in official stores—and unwittingly hand over control of the NFC module to the attackers.

Once the malicious application is installed, it asks NFC access and instructs the victim to hold their physical card to the phone "for verification." In reality, the phone is reading the card information and transmitting it to the attacker. NGate may even request additional information, such as a PIN, bank account ID, or date of birth, to increase its control over the account.

SuperCard X: The latest generation of NFC malware for Android that clones cards

SuperCard X represents the evolution of NFC fraud. Discovered by Cleafy Labs and with strong ties to Chinese cybercriminal groups, this Malware is distributed as MaaS (malware-as-a-service) It's distributed on underground forums and Telegram channels, making it easy for cybercriminals with limited technical knowledge to exploit it. By paying a subscription, these "customers" gain access to the software, instructions, and even technical support.

SuperCard X has been detected in attacks primarily targeting Italy, although various sources suggest the threat already has European reach and could be active in Spain. The modus operandi is extremely sophisticated and includes social engineering steps to maximize the success of the deception.

This is how the SuperCard X attack works

  • It all starts with a Fraudulent SMS or WhatsApp, in which the victim is alerted to a supposedly serious problem with their bank account. They are urged to call a number that, of course, is answered by a criminal posing as the bank's support team.
  • During the call, the attacker applies techniques of social engineering to obtain sensitive data: card number and PIN. They can even convince the victim to remove their card's spending limits using their bank's app.
  • The next step is to convince the user to install an app called "Reader" that supposedly enhances security. In reality, "Reader" is the very app itself. SuperCard X malware, which requests minimal but essential permissions, such as access to NFC.
  • The victim, thinking they are collaborating with a verification process, holds their card close to the phone. At that moment, Reader collects NFC data and sends it to attackers.
  • On the criminals' end, an Android device runs the app "Tapper," which It can emulate the victim's card and make contactless payments and cash withdrawals at ATMs.Because these are small transactions, they often go unnoticed by banks.

The alarming thing is that currently SuperCard X is not detected by major antivirus programs, isn't even listed in VirusTotal's search engines, making it a silent and difficult-to-fight threat. Google assures that there are no apps for this malware on Google Play, but also reminds people not to blindly rely on automatic protection measures.

Why are these card-cloning malwares so dangerous?

The big difference compared to previous malware lies in the ability to transmit NFC data in real time, which allows attackers to simulate the presence of the physical card at an ATM or POS terminal, even over long distances. In addition, both NGate and SuperCard X request minimum permits, avoid screen overlays and do not require access to SMS or calls, making them even more difficult to detect.

What is SpyLend and how does it work?
Related article:
SpyLend: Android malware that steals your data and extorts its victims

The SuperCard X platform uses the protocol mutual TLS (mTLS) to encrypt and secure communication between the malware and the control server. This prevents researchers or law enforcement from easily intercepting traffic to track or identify the malware operators.

These aspects, combined with the distribution via malware-as-a-service, have democratized access to NFC fraud, making it easier for any cybercriminal, even those lacking extensive technical knowledge, to access ready-to-use card cloning tools.

Who is in the spotlight?

The main objective of these attacks are Android users With mobile phones equipped with NFC chips and bank cards with contactless technology, attackers target users who trust their bank's communications, who don't have advanced protections enabled, and, above all, who aren't cautious enough when installing apps outside of official stores.

The scope, however, is global: the infrastructure has been detected in Europe, especially in Italy, but nothing prevents the attack from spreading to other countries. Banks and card issuers, as well as financial app developers, are also on the cybercriminals' radar, as a massive breach could cause considerable financial and reputational damage.

Prevention strategies for users against card-cloning malware

Although it may seem that the situation is critical, there are practical measures that can minimize or even neutralize the risk against these attacks. The key is in the prevention and proactive distrust any suspicious communication that invokes fear or urgency to get you to install an app or share your banking details.

  • Never install applications from links provided by SMS, WhatsApp or email messages.If your bank needs to contact you, they will do so through official channels. Always go directly to the Google Play Store and verify the developer's name.
  • Be wary of apps that ask you to scan or hold your bank card against your phone., unless they're official apps from the bank itself and you've confirmed it on its website. No standard banking process requires you to tap your physical card on your phone outside of an official app.
  • Turn off NFC when you're not going to use it.Many users have the chip enabled by default, but only use it occasionally. Turn off the feature in your device's settings and only enable it occasionally for making payments.
  • Always install reliable security software on your mobile device and keep the operating system and applications updated. New versions include patches for known vulnerabilities.
  • Never share your PIN or other information over the phone., even if the caller claims to be from a bank or an authority. Banks never request this type of information over the phone or through messaging apps.
  • Periodically review the movements of your accountsThis way, you can quickly detect any suspicious activity and file a claim before the damage becomes too great.
  • Use RFID/NFC blocking wallets or protective cases If you carry your cards with you, as this can prevent a physical attacker from reading them without you noticing, although the main vector for this malware is digital.

What can banks and developers do about card-cloning malware?

Beyond individual precautions, financial and technological entities They have a lot to improve to protect their customers:

Financial apps infected with malware on Google Play Store-0
Related article:
Financial apps infected with SpyLoan malware put millions of users at risk
  • Strengthen the authentication system at ATMs and POS terminals contactless, adding additional verification steps in the event of anomalous usage patterns.
  • Constantly update fraud databases, collaborating with cybersecurity companies that detect new malware variants.
  • Proactively inform customers about the risks of installing third-party apps and sharing dataMany attacks occur simply because the victim is unaware that their bank never requests confidential information outside of official channels.
  • Develop early warning systems In the event of unusual banking transactions, blocking cards preemptively and contacting the user to confirm their legitimacy.

Are we really helpless?

Education and prevention remain the best weapons. Social engineering techniques, although sophisticated, almost always depend on the user taking the step of installing an app or sharing sensitive data. Official bank apps never ask for your PIN or to hold your card up to your phone, except for very specific and clear processes where you can verify its authenticity.

What is SparkCat Malware and How Does It Work?
Related article:
SparkCat: Cryptocurrency-stealing malware infiltrates official apps

Malware hunters like ESET and Cleafy continue to uncover new variants, informing institutions, and helping improve protection systems, but the speed at which these threats develop requires extreme caution on the part of users. Share this information so more users are aware of this development..


Follow us on Google News

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Actualidad Blog
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.