A new Android malware known as SuperCard X makes it possible to intercept contactless payment data via NFC. Victims are tricked into scanning the data themselves and forwarding it to scammers, who then use it to commit financial fraud.
How the attack works
The attack usually starts with a text message or WhatsApp message about a supposedly suspicious transaction. The recipient is asked to make contact by phone. During the call, criminals pose as bank employees and convince the victim to install a fraudulent app.
NFC reading and abuse
Once installed, the app asks the victim to hold their debit card against the phone. The malware then reads the card data via the NFC function and sends it to a second device. With this data, payments are made without the real owner knowing.
Few technical signals
According to security researchers at Cleafy, this malware is difficult to detect because the app asks for few conspicuous permissions. This makes it seem to users as if nothing unusual is happening.
Advice to users
Users are advised never to install apps based on a phone call, and not to hold a debit card to their phone unless absolutely necessary. It is also important to use official banking channels immediately if in doubt.
Comments (0)
Leave a comment