A sophisticated mobile malware campaign using a new NFC-relay technique to steal payment card data has been uncovered by security researchers. Named “SuperCard X,” the Android malware operates under a Malware-as-a-Service (MaaS) model and enables fraudsters to carry out unauthorized transactions through Point-of-Sale (POS) systems and ATMs. According to the Cleafy Threat Intelligence team who discovered the threat, victims are deceived through smishing campaigns and phone calls into installing a malicious app disguised as a security tool. Once installed, the malware silently captures NFC data when a card is tapped on the compromised device. What makes this campaign particularly dangerous is its multi-stage approach, comprising: Social engineering via smishing and phone calls, PIN elicitation and card limit removal, Malicious app installation, Real-time NFC data interception, Instant fraudulent cash-outs. The SuperCard X malware remains largely undetected by antivirus software, partly due to its minimal permission requests and focused design. Once a victim’s card data is captured, it’s transmitted in real-time to a second device controlled by the attacker, which then emulates the card for immediate withdrawals or purchases. This bypasses traditional fraud detection systems that rely on transaction delays. The malware architecture includes two applications: “Reader,” which collects NFC data from victims; “Tapper,” used by fraudsters to emulate the stolen card. Communication between the two is secured via mutual TLS, ensuring encrypted and authenticated relay of stolen data. “While this type of attack relies on relatively simple social engineering techniques, it proves to be highly effective – both in terms of success rate and cashout efficiency,” Cleafy warned.