
One-third of Android phone users are at serious risk of having their bank accounts emptied through sophisticated malware attacks that prey on outdated security systems.
Key Takeaways
- SuperCard X malware is turning infected Android phones into credit card-stealing machines through NFC relay attacks
- Hackers impersonate banks through phishing messages, tricking victims into installing malicious apps disguised as security tools
- Approximately one-third of active Android phones are vulnerable due to lack of security updates from Google
- Android 13 or newer versions provide significantly better protection against banking malware
- Users can protect themselves by verifying suspicious communications directly with their bank and avoiding apps from unknown sources
New “SuperCard X” Malware Turns Phones Into Digital Card Skimmers
A dangerous new malware called SuperCard X has emerged as a significant threat to Android users, allowing hackers to steal credit card information through contactless technology. This sophisticated malware-as-a-service platform exploits the near-field communication (NFC) capabilities found in most modern Android phones, effectively turning infected devices into digital skimming tools. Once installed, the malware can read and transmit credit or debit card data when victims tap their physical cards against the compromised phone, giving criminals remote access to sensitive financial information.
“Hackers love using malware to go after your credit card details but a new malware-as-a-service platform makes it incredibly easy for them to use these stolen cards in person at stores and even at ATMs,” said Bleeping Computer
The attack begins with phishing messages that impersonate legitimate banks, urging potential victims to call a fraudulent customer service number. When victims call this number, they’re connected with scammers posing as bank representatives who manipulate them into “confirming” their card information. The criminals then convince victims to install a malicious app called “Reader,” falsely described as a security tool, which actually contains the SuperCard X malware. This app requests access to the phone’s NFC module, enabling it to read and transmit card data directly to the attackers.
Older Android Phones Face Greatest Security Risk
The threat posed by SuperCard X and similar malware is significantly higher for users with outdated Android phones. Mobile security experts warn that millions of older Android devices have passed their security update cutoff date, leaving them perpetually vulnerable to new exploits. These phones aren’t just missing recent patches – they’re completely abandoned from a security perspective, creating perfect targets for cybercriminals looking to exploit known vulnerabilities that will never be fixed on these devices.
“They aren’t just missing recent patches; they stopped getting any security patches quite some time ago, maybe months or even years back,” said Phone Arena
Google’s recent security reports underscore the severity of this situation. The April Android update alone addressed 62 security flaws, with two actively being exploited in the wild. Users of older Android versions (Android 12 or earlier) lack these critical patches, leaving them exposed to vulnerabilities that hackers are actively targeting. This is particularly concerning for banking and payment applications, which handle the most sensitive financial information on your device. Without regular security updates, these applications become increasingly vulnerable to sophisticated attack techniques.
Stealthy Design Makes Detection Difficult
What makes SuperCard X particularly dangerous is its ability to evade detection by most antivirus programs. The malware requests minimal permissions during installation, avoiding the suspicious behavior patterns that security software typically looks for. Despite its limited permissions, the malware gains access to the phone’s NFC capabilities – all it needs to carry out its card-stealing operations. Security researchers note that SuperCard X shares code with another malware variant called NGate and builds upon concepts from the open-source NFC tool NFCGate.
“Most antivirus programs for Android fail to spot it, says Cleafy,” said Cleafy
Once criminals have captured card data through SuperCard X, they use a companion app called “Tapper” to emulate the victim’s card for contactless payments and ATM withdrawals. They typically make small transactions to avoid triggering fraud detection systems, gradually draining accounts without alerting victims until significant damage has occurred. While SuperCard X is primarily being used in Italy at present, security experts warn that its availability on the dark web means it could rapidly spread to other regions globally.
Protecting Yourself From Mobile Banking Threats
The most effective protection against these evolving threats is to ensure your Android device runs the latest operating system version. Android 13 or newer provides significantly enhanced security measures specifically designed to protect sensitive applications like banking apps. For the millions of users with devices that no longer receive updates, security experts are increasingly recommending an upgrade to newer hardware, despite the financial burden this may present. The alternative—continuing to conduct banking on vulnerable devices—presents an unacceptable risk.
“To be on the safe side, if your Android device is currently running Android 12, Android 12L, or lower, updating the OS to Android 13 or newer is one of the most secure things you can do. If this is the scenario you are left with, another option is to just go ahead and shell out the money to buy a new Android handset,” said Phone Arena
Users should remain vigilant about potential signs of malware infection, including unexpected pop-ups, decreased device performance, unauthorized account activity, browser homepage changes, or unwanted extensions. When receiving communications purportedly from banks, always verify by contacting your financial institution directly through official channels—never through phone numbers provided in unexpected messages. Additionally, avoid downloading applications from unknown sources, as legitimate banking security tools are never distributed through unofficial channels or direct links in text messages or emails.