Android Malware Leverages NFC to Enable Unauthorized POS and ATM Withdrawals

Advisory ID: NCC-CSIRT-2025-005

Summary: 

Researchers from antifraud security vendor Cleafy discovered a new wave of Android malware called "SuperCard” that exploits Near Field Communication (NFC) technology to execute instant cash-out attacks. Once installed, this malware silently initiates unauthorised financial transactions by leveraging NFC-enabled payment services. The sophistication of this malware introduces severe risks to mobile banking, digital wallets, and the broader cashless economy. 

Damage/Probability: HIGH/Critical

Product(s): Android devices with NFC capability, Digital wallets (Google Pay, OEM-specific wallets), Banking apps with NFC-integrated payment systems.

Version(s): All types and versions

Platform(s): Android operating System

Description: 

According to the researchers, the "SuperCard X" is a Chinese-speaking malware-as-a-service (M-a-a-S). It employs a novel NFC-relay technique, enabling threat actors (TAs) to fraudulently authorize point-of-sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices. The malware operates by covertly activating the device’s NFC functionality and triggering payment processes without the user's consent. It targets Android devices, especially those with poorly secured NFC configurations or outdated security patches. Once near a legitimate NFC payment terminal, the malware authorizes fraudulent transactions, effectively draining funds within seconds. 

Consequences:  

• Financial loss for individuals and businesses.

• Compromise of personal and financial data.

• Reputational damage to financial service providers.

• Increased erosion of trust in mobile cashless transactions.

Solution: 

• Always install the latest security patches and Android OS updates.

• Disable NFC functionality when not in use.

• Only install applications from trusted sources (Google Play Store) and verify app permissions.

• Deploy reputable mobile security solutions that monitor and block NFC abuse.

• Be vigilant about unfamiliar or excessive permissions requested by apps.

References:

• https://www.darkreading.com/threat-intelligence/nfc-android-malware-instant-cash-outs

• https://cybernews.com/security/android-malware-contactless-card-theft-supercard/

• https://www.malwarebytes.com/blog/news/2025/04/android-malware-turns-phones-into-malicious-tap-to-pay-machines

• https://cybersecuritynews.com/new-android-supercard-x-malware-employs-nfc-relay-technique/#google_vignette

• https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/