One-third of all Android users face grave financial theft risks as their outdated phones lack critical security updates against sophisticated new credit card-stealing malware like SuperCard X, which turns phones into covert card-reading stations.
Key Takeaways
- Hackers are using a new malware platform called SuperCard X that transforms Android phones into malicious tap-to-pay machines, stealing credit card details through NFC relay attacks.
- The attack begins with phishing messages impersonating banks, tricking victims into installing a malicious app disguised as a security tool that reads and transmits card data to criminals.
- Approximately one-third of active Android phones have surpassed their security update cutoff date, making them permanently vulnerable to exploits.
- Google recently reported 62 security flaws in its April Android update, with two already being actively exploited by hackers.
- Users can protect themselves by updating to Android 13 or newer, verifying suspicious messages directly with their bank, and avoiding app downloads from unknown sources.
New Banking Malware Puts Android Users at Unprecedented Risk
Cybersecurity experts have identified a dangerous new threat targeting Android users, especially those with outdated devices. The malware, known as SuperCard X, operates as a malware-as-a-service platform that exploits near-field communication (NFC) capabilities in Android phones to steal credit and debit card information. This sophisticated attack turns victims’ devices into covert card-reading stations, allowing criminals to make unauthorized purchases and ATM withdrawals with the stolen data. While currently most prevalent in Italy, security researchers warn this threat is poised to spread globally as it’s now available on dark web marketplaces.
“The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC).” Cleafy
The attack begins when victims receive phishing messages appearing to come from legitimate banks, urging them to call a provided phone number regarding supposed suspicious activity. Once on the call, fake bank representatives use social engineering to trick victims into “confirming” their card details and PINs. The scammers then convince victims to install a malicious application deceptively named “Reader,” which they claim is a security tool but contains the SuperCard X malware. This app requests access to the device’s NFC module, enabling it to read chip data from payment cards and transmit this information to hackers.
— The Hacker News (@TheHackersNews) November 25, 2024
Older Android Phones: A Ticking Security Time Bomb
The threat to Android users extends far beyond this specific malware campaign. Mobile security specialists have raised alarms about the broader vulnerability landscape, particularly for the millions of users with older Android devices. Google’s own reports indicate that approximately one-third of all active Android phones are currently vulnerable due to a lack of ongoing security support. These devices haven’t just missed recent patches – many stopped receiving any security updates months or even years ago, leaving them permanently exposed to numerous exploits.
“They aren’t just missing recent patches; they stopped getting any security patches quite some time ago, maybe months or even years back.” Phone Arena
A recent Google security bulletin identified 62 flaws in the April Android update alone, with two of these vulnerabilities already being actively exploited by hackers. For users still running Android 12 or earlier versions, these security gaps represent serious risks, especially when conducting banking transactions or accessing sensitive information. The outdated security infrastructure in these older devices makes them particularly attractive targets for cybercriminals who specifically scan for and exploit known vulnerabilities that remain unpatched in older operating systems.
➡️ Notable APT research and important cybersecurity news for the week:
🔵 Analysis of tactics used by the Asian initial access broker, UNC5174, compromising large corporate and government networks through a vulnerability in F5 BIG-IP and a recent flaw in ConnectWise…
— Kaspersky (@kaspersky) March 25, 2024
How the SuperCard X Attack Works
The technical sophistication of SuperCard X makes it particularly dangerous. After installing the malicious Reader app, victims’ phones become capable of extracting payment card data when cards are placed near the device. This data is then transmitted to the attackers, who use another application called Tapper to emulate the victim’s card for contactless payments and ATM withdrawals. The hackers tactically make small transactions and withdrawals to avoid triggering fraud detection systems, maximizing their illegal gains before victims become aware of the theft.
“Hackers love using malware to go after your credit card details, but a new malware-as-a-service platform makes it incredibly easy for them to use these stolen cards in person at stores and even at ATMs.” BleepingComputer
What makes SuperCard X particularly insidious is its stealth capability. “Most antivirus programs for Android fail to spot it, says Cleafy.” The malware requests minimal privileges during installation, helping it avoid detection by security software. Additionally, the malware shares code with another threat called NGate and is based on concepts from NFCGate, an open-source NFC tool. This sophisticated design allows attackers to focus entirely on the social engineering aspects of their campaigns while the malware handles the technical theft process flawlessly.
Protecting Yourself from Mobile Banking Threats
For Android users concerned about these threats, security experts recommend several crucial protective measures. The most important step is ensuring your device is running Android 13 or newer, as these versions incorporate enhanced security features specifically designed to protect sensitive applications like banking apps. If your phone cannot be updated to a newer Android version, experts are blunt about the risk: “it’s not worth the risk,” advising consumers to purchase a newer device with current security support.
“To be on the safe side, if your Android device is currently running Android 12, Android 12L, or lower, updating the OS to Android 13 or newer is one of the most secure things you can do. If this is the scenario you are left with, another option is just to go ahead and shell out the money to buy a new Android handset.” Phone Arena
Additional safety measures include being extremely skeptical of unsolicited messages claiming to be from your bank, verifying any suspicious communications by contacting your bank through official channels you find yourself (not numbers provided in the message), and avoiding downloading apps from unknown sources. Watch for warning signs of malware infection, including unexpected pop-ups, decreased device performance, unusual battery drain, and unauthorized account activity. Installing reputable security software provides an additional layer of protection against these increasingly sophisticated threats targeting American consumers.
