Android scam lets hackers use your credit card remotely

Scammers are always coming up with new tricks. Just when you start feeling confident about spotting phishing emails, suspicious links and fake banking apps, they find a new angle. Lately, they have been getting more creative, turning to the built-in features of our phones to pull off their schemes. One of the latest targets is NFC, the technology behind tap-to-pay. 

It might seem harmless, but a new scam is using it in ways most people would never expect. An Android malware called SuperCard goes beyond just stealing your card details. It gives attackers the ability to use your card remotely for real transactions. And the worst part is that it all begins with something as simple as a text message.

The malware is offered through a Malware-as-a-Service model, which means different cybercriminals can use it in their own regions. This makes the threat more scalable and harder to contain. Unlike most banking trojans, SuperCard X is not focused on one specific institution. It targets any cardholder regardless of which bank issued their card.

Another key difference is how stealthy the malware is. It uses minimal permissions and does not include extra features that would make it easier to detect. This lean approach helps it avoid detection by antivirus software and allows it to operate quietly on infected devices.

The fraud begins with a message sent through SMS or WhatsApp. It pretends to be from a bank and warns the recipient about a suspicious transaction. The message includes a phone number and urges the person to call to resolve the issue. This is the first step in gaining the victim's trust.

Once on the phone, the attacker poses as a bank representative and walks the victim through a fake security process. This may include asking them to confirm personal details or adjust settings in their mobile banking app, such as removing spending limits on their card.

Next, the attacker asks the victim to install a mobile app that is described as a tool to verify the account or enhance security. In reality, this app contains the SuperCard X malware. After the installation, the attacker instructs the victim to tap their card against the phone. The malware then captures the NFC data from the card and sends it to a second phone controlled by the attacker.

Using the copied data, the attacker can make contactless payments or make ATM withdrawals almost instantly. This method allows them to steal funds quickly and leaves little opportunity for banks or victims to intervene in time.

1) Be cautious of suspicious texts and calls. Use strong antivirus software: Fraudulent campaigns often begin with an SMS or call that seems to come from your bank. These messages usually claim there's suspicious activity on your account and urge you to click a link or dial a number to resolve the issue. However, this is a tactic used to gain access to your personal information. Always approach such messages with skepticism.

2) Avoid installing apps from untrusted sources: One of the key ways malware like SuperCard X spreads is through deceptive apps that victims are persuaded to install. These apps often look harmless, posing as tools for security or account verification. If you receive a link to download an app via SMS, email or messaging apps like WhatsApp, do not click on it. Instead, only download apps from trusted sources, such as the Google Play Store. Additionally, carefully review app permissions and avoid granting unnecessary access, particularly to sensitive data like NFC, location or personal contacts.

3) Turn off NFC when not in use: NFC, or Near Field Communication, is a useful feature that allows contactless payments and data exchanges. However, it can be exploited by attackers to capture your card information without you even realizing it. To minimize your risk of falling victim to NFC-based malware like SuperCard X, turn off NFC when you're not actively using it. 

On most Android devices, you can do this by going to "Settings," then "Connected Devices" or "Connection Preferences," where you'll find the NFC toggle. By disabling NFC, your phone won't transmit data wirelessly, which helps protect your payment card information from being stolen by nearby attackers.

4) Keep a close eye on your bank accounts and cards: If your device has come into contact with the SuperCard or anything similar, it's possible your banking details are already compromised. That's why it's important to regularly check your transaction history for anything odd, like a small payment you don't remember making or a charge from a strange location could be a sign of misuse. If you spot anything suspicious, report it to your bank right away. It's also worth checking your credit reports every now and then to catch signs of identity theft before they snowball into bigger issues.

5) Use a personal data removal service: If scammers have targeted you once, there's a higher chance they'll try again, especially if your personal details (like your phone number, address or email) are easily found online. Data removal services scan people-search sites and brokers, then request the removal of your info. This reduces your exposure and helps prevent future phishing or social engineering attacks.

6) Contact your bank and freeze your cards: If you think you've tapped or handled a suspicious card, or if your phone acted strangely afterward, don't brush it off. Call your bank and let them know what happened. They can freeze your card to stop any unauthorized payments and issue a new one for added safety. You should also ask them to monitor your account more closely for a while. On top of that, place a fraud alert with a credit bureau so no one can easily open a new line of credit in your name.

The SuperCard X malware campaign represents a significant shift in how cybercriminals are targeting individuals and financial institutions. By exploiting NFC technology and combining it with social engineering tactics, attackers have found a way to bypass traditional fraud detection systems. What's especially concerning is how quickly these attacks unfold, making them harder to detect before the damage is done. As this threat evolves, it's important for both consumers and institutions to recognize the potential risks of these multilayered fraud strategies.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.