With fraud tactics increasingly evolving to mobile-first, app-based threats, Federico Valentini, Head of Threat Intelligence and Incident Response at fraud prevention and management company Cleafy, talks about the recent SuperCard X malware discovery, and the value to financial services organisations of tailored early threat detection.
With our growing reliance on mobile payments, the number of fraud attacks that target mobile devices has increased significantly. In the first half of 2024, the Payments Association reported a 10% increase in mobile banking fraud losses, marking a new record high since data collection began in 2015. So, when the SuperCard X malware campaign was first spotted in April 2025 in Italy, its existence wasn’t a massive surprise.
SuperCard X is a new and sophisticated Android malware that uses a novel technique to intercept near field communications (NFC) on compromised devices. It allows hackers to fraudulently authorise point of sale payments and withdrawals from ATMs. The malware is distributed through social engineering tactics: users are deceived into installing the malicious application, usually disguised as a security tool or verification utility, and then tap their payment card onto their infected phone.
This malware stands out from other attacks for several reasons. The SuperCard X approach affects payment providers and credit card issuers directly, rather than conventional targets like banking institutions. Any debit or credit card, regardless of the issuing bank, is a potential target.
By using the NFC technology, fraudsters can capture the card’s chip data and use it almost immediately. It has been shown to be highly effective in Italy, particularly for targeting contactless ATM withdrawals. It leaves very little trace and is less detectable through conventional behavioural analysis, which typically expect fraud channels to involve bank transfers.
A symptom of a growing challenge
SuperCard X is a relatively new kid on the block, but with the rise of mobile fraud, it’s an important example. It is easy for attackers to infect devices through simple, tried and trusted social engineering tactics and the malware is hard to detect once installed. Another layer of complexity is added when multiple attack vectors are used.
SuperCard X is one of the first malwares of its type to enable an NFC relay attack. Importantly, it has been shown to be highly effective in terms of payout to the attacker, both in terms of success rates and cashout value. This type of threat is only going to grow in the future.
Solving a problem like SuperCard X
Malware like SuperCard X creates challenges for fraud monitoring and highlights the growing need for alternative real-time detection capabilities.
Cleafy LABS first detected the SuperCard X malware in Italy in April 2025. It’s not the first time its threat intelligence team has detected and disrupted a zero-day malware campaign like this – in October 2024 Cleafy identified a new banking trojan – ToxicPanda.
The intelligence from Cleafy LABS is a crucial part of next-generation fraud detection and response platform, FxDR. As well as this embedded threat intelligence, FxDR has real-time anomaly detection and full visibility into user behaviour – even before they log in to their online payment account.
There’s limited visibility into how risk is assessed with traditional fraud prevention methods. As a result, even legitimate transactions can be flagged, delayed, or blocked, often without a clear explanation, leaving both banks and customers in the dark.
With technology like Cleafy’s, risk decisions are based on a real-time, contextual view of the entire customer journey, including indicators like device integrity, session behaviour and signs of malware. Even if a one-time passcode sent by text isn’t received or entered correctly, the broader context may still indicate a trusted session. In these cases, the bank can confidently allow the transaction to proceed securely without unnecessary friction.
Better visibility, better security, better customer experience
With increasingly sophisticated fraud attacks targeting the growing use of mobile devices, it’s important that fraud detection starts long before the financial transaction does. Adopting technology that integrates the latest threat intelligence and detects subtle anomalies and advanced threats helps organisations adapt to emerging attack patterns.
Using smart fraud management and prevention technology gives financial services organisation better visibility and security, but also reduces the number of false positives – maximising the number of successful transactions while minimising the risk placed on financial institutions and their customers.
At Cleafy, we’re constantly working to help keep our customers safe from attacks like SuperCard X, without burdening them with complexity behind the scenes. This includes the data provided by Cleafy Threat Intelligence team, which is internationally recognised for its cutting-edge research and early detection capabilities.
You can read the whole story of how Cleafy exposed the SuperCard X malware campaign.
