Bill Toulas@BleepingComputer
//
A new malware-as-a-service (MaaS) platform, called 'SuperCard X', has surfaced, targeting Android devices. This malware leverages Near-Field Communication (NFC) relay attacks to facilitate unauthorized point-of-sale (POS) and Automated Teller Machine (ATM) transactions. It operates by using compromised payment card data obtained through social engineering tactics. Victims are often lured into downloading a malicious application via SMS or phone calls, which then captures payment card data when the card is in proximity to the infected device.
This sophisticated Android-based malware is part of a fraud campaign that combines social engineering, malware distribution, and NFC data interception. The data captured is relayed in real-time through a Command and Control (C2) infrastructure to an attacker-controlled device, enabling immediate fraudulent cash withdrawals and purchases. The malware’s architecture includes two applications: “Reader” for capturing NFC card data and “Tapper” for receiving this data and performing the fraud. Communication between these apps uses HTTP over a C2 infrastructure, which employs mutual TLS (mTLS) to secure and authenticate connections. SuperCard X exhibits a low detection rate among antivirus solutions due to its narrow focus on NFC data capture and minimal permission requirements. Cleafy Threat Intelligence researchers identified code similarities between SuperCard X and the open-source NFCGate tool, as well as another Android malware called NGate. This type of attack represents a significant escalation in fraud capabilities, extending beyond the usual targets of banking institutions to directly impact payment providers and card issuers. References :
Classification:
Pierluigi Paganini@securityaffairs.com
//
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.
These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears. The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns. References :
Classification:
@The DefendOps Diaries
//
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.
Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources. References :
Classification:
|