Skip to main content
Mallory
Back to malware
Malware

SuperCard X

SuperCard X is an Android NFC relay malware family and malware-as-a-service (MaaS) offering used to facilitate fraudulent contactless transactions. Public reporting cited in the content describes it as a barebones MaaS kit disguised as a legitimate NFC application that captures payment card data and relays it in real time for tap-to-pay fraud. It has been documented as part of the broader wave of Android NFC relay threats alongside families such as NGate, ZNFC, RelayNFC, and PhantomCard.

The malware is associated with NFC-based payment fraud workflows in which victims are socially engineered into installing a malicious Android app, granting NFC access, and tapping their payment card to the device. The captured card data is then relayed to attacker-controlled infrastructure or a second device to emulate the victim’s card at a point-of-sale terminal or ATM. Reporting in the provided content also places SuperCard X in the category of malware used for NFC theft and relay schemes enabling fraudulent contactless transactions.

According to the content, SuperCard X was uncovered in early 2025 in Italy. Additional attempted deployments were reportedly recorded in Russia in May 2025 and Brazil in August 2025. It is referenced in threat reporting covering Android tap-to-pay fraud growth from August 2024 through August 2025 and in ESET and Recorded Future reporting as an example of the rise in NFC relay malware and MaaS platforms supporting contactless payment fraud.

High-confidence details in the provided material do not include specific package names, infrastructure indicators, or code-level IOCs for SuperCard X itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
bleeping computerNews
Jun 8, 2026
NFCShare Android malware spreads via fake banking app updates on GitHub

Referenced as Android malware involved in NFC payment relay schemes used to abuse stolen payment card data.

Read more
cleafy labsNews
May 18, 2026
NFC Relay Goes Local: How AI Is Accelerating a New Wave of Independent Malware Developers | Cleafy

Previously documented Android NFC relay malware family referenced for comparison; noted as using an early and more detectable HCE approach with explicit financial AIDs declared in hce.xml.

Read more
the hacker newsNews
Feb 16, 2026
New ZeroDayRAT Mobile Spyware Enables Real-Time Surveillance and Data Theft

Referenced as an NFC relay malware family; NFCShare C2 was previously flagged as associated with SuperCard X activity (Nov 2025).

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Android malware-as-a-service enabling NFC relay attacks for contactless ATM/PoS fraud; campaign noted targeting Italy.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.