Scammers are always coming up with new tricks. Just when you start feeling confident about spotting phishing emails, suspicious links and fake banking apps, they find a new angle. Lately, they have been getting more creative, turning to the built-in features of our phones to pull off their schemes. One of the latest targets is NFC, the technology behind tap-to-pay.
It might seem harmless, but a new scam is using it in ways most people would never expect. An Android malware called SuperCard goes beyond just stealing your card details. It gives attackers the ability to use your card remotely for real transactions. And the worst part is that it all begins with something as simple as a text message.
Join the FREE "CyberGuy Report": Get my expert tech tips, critical security alerts and exclusive deals, plus instant access to my free "Ultimate Scam Survival Guide" when you sign up!
SuperCard X stands out from other Android malware because of how it operates. As reported by researchers at Cleafy, instead of stealing usernames, passwords or verification codes, it uses a method called NFC relay. This allows attackers to copy card data from a victim's device in real time and use it elsewhere to make payments or withdraw cash. The process does not require physical access to the card or knowledge of the PIN.
The malware is offered through a Malware-as-a-Service model, which means different cybercriminals can use it in their own regions. This makes the threat more scalable and harder to contain. Unlike most banking trojans, SuperCard X is not focused on one specific institution. It targets any cardholder regardless of which bank issued their card.
Another key difference is how stealthy the malware is. It uses minimal permissions and does not include extra features that would make it easier to detect. This lean approach helps it avoid detection by antivirus software and allows it to operate quietly on infected devices.
200 MILLION SOCIAL MEDIA RECORDS LEAKED IN MAJOR X DATA BREACH
The fraud begins with a message sent through SMS or WhatsApp. It pretends to be from a bank and warns the recipient about a suspicious transaction. The message includes a phone number and urges the person to call to resolve the issue. This is the first step in gaining the victim's trust.
Once on the phone, the attacker poses as a bank representative and walks the victim through a fake security process. This may include asking them to confirm personal details or adjust settings in their mobile banking app, such as removing spending limits on their card.
Next, the attacker asks the victim to install a mobile app that is described as a tool to verify the account or enhance security. In reality, this app contains the SuperCard X malware. After the installation, the attacker instructs the victim to tap their card against the phone. The malware then captures the NFC data from the card and sends it to a second phone controlled by the attacker.
Using the copied data, the attacker can make contactless payments or make ATM withdrawals almost instantly. This method allows them to steal funds quickly and leaves little opportunity for banks or victims to intervene in time.
MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT
1) Be cautious of suspicious texts and calls. Use strong antivirus software: Fraudulent campaigns often begin with an SMS or call that seems to come from your bank. These messages usually claim there's suspicious activity on your account and urge you to click a link or dial a number to resolve the issue. However, this is a tactic used to gain access to your personal information. Always approach such messages with skepticism.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
2) Avoid installing apps from untrusted sources: One of the key ways malware like SuperCard X spreads is through deceptive apps that victims are persuaded to install. These apps often look harmless, posing as tools for security or account verification. If you receive a link to download an app via SMS, email or messaging apps like WhatsApp, do not click on it. Instead, only download apps from trusted sources, such as the Google Play Store. Additionally, carefully review app permissions and avoid granting unnecessary access, particularly to sensitive data like NFC, location or personal contacts.
3) Turn off NFC when not in use: NFC, or Near Field Communication, is a useful feature that allows contactless payments and data exchanges. However, it can be exploited by attackers to capture your card information without you even realizing it. To minimize your risk of falling victim to NFC-based malware like SuperCard X, turn off NFC when you're not actively using it.
On most Android devices, you can do this by going to "Settings," then "Connected Devices" or "Connection Preferences," where you'll find the NFC toggle. By disabling NFC, your phone won't transmit data wirelessly, which helps protect your payment card information from being stolen by nearby attackers.
4) Keep a close eye on your bank accounts and cards: If your device has come into contact with the SuperCard or anything similar, it's possible your banking details are already compromised. That's why it's important to regularly check your transaction history for anything odd, like a small payment you don't remember making or a charge from a strange location could be a sign of misuse. If you spot anything suspicious, report it to your bank right away. It's also worth checking your credit reports every now and then to catch signs of identity theft before they snowball into bigger issues.
5) Use a personal data removal service: If scammers have targeted you once, there's a higher chance they'll try again, especially if your personal details (like your phone number, address or email) are easily found online. Data removal services scan people-search sites and brokers, then request the removal of your info. This reduces your exposure and helps prevent future phishing or social engineering attacks.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here.
6) Contact your bank and freeze your cards: If you think you've tapped or handled a suspicious card, or if your phone acted strangely afterward, don't brush it off. Call your bank and let them know what happened. They can freeze your card to stop any unauthorized payments and issue a new one for added safety. You should also ask them to monitor your account more closely for a while. On top of that, place a fraud alert with a credit bureau so no one can easily open a new line of credit in your name.
7) Consider enrolling in identity theft protection services: If you've been targeted by a sophisticated scam like SuperCard X, there's a chance your personal information, not just your card data, may be at risk. Identity theft companies can monitor personal information, like your Social Security number, phone number and email address, and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best picks on how to protect yourself from identity theft.
8) Report the scam to your national cybercrime authority: Whether or not you lost money, reporting the scam helps authorities track emerging threats and warn others. You can report such fraud to the FBI's Internet Crime Complaint Center or the Federal Trade Commission. Your report could help catch the people behind the scam or at least shut down their infrastructure.
HOW SECURE IS MY PASSWORD? USE THIS TEST TO FIND OUT
The SuperCard X malware campaign represents a significant shift in how cybercriminals are targeting individuals and financial institutions. By exploiting NFC technology and combining it with social engineering tactics, attackers have found a way to bypass traditional fraud detection systems. What's especially concerning is how quickly these attacks unfold, making them harder to detect before the damage is done. As this threat evolves, it's important for both consumers and institutions to recognize the potential risks of these multilayered fraud strategies.
Do you think Google is doing enough to protect you from malware? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you'd like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.
