CyberSecurity news

FlagThis - #androidmalware

Bill Toulas@BleepingComputer //
A new malware-as-a-service (MaaS) platform, called 'SuperCard X', has surfaced, targeting Android devices. This malware leverages Near-Field Communication (NFC) relay attacks to facilitate unauthorized point-of-sale (POS) and Automated Teller Machine (ATM) transactions. It operates by using compromised payment card data obtained through social engineering tactics. Victims are often lured into downloading a malicious application via SMS or phone calls, which then captures payment card data when the card is in proximity to the infected device.

This sophisticated Android-based malware is part of a fraud campaign that combines social engineering, malware distribution, and NFC data interception. The data captured is relayed in real-time through a Command and Control (C2) infrastructure to an attacker-controlled device, enabling immediate fraudulent cash withdrawals and purchases. The malware’s architecture includes two applications: “Reader” for capturing NFC card data and “Tapper” for receiving this data and performing the fraud. Communication between these apps uses HTTP over a C2 infrastructure, which employs mutual TLS (mTLS) to secure and authenticate connections.

SuperCard X exhibits a low detection rate among antivirus solutions due to its narrow focus on NFC data capture and minimal permission requirements. Cleafy Threat Intelligence researchers identified code similarities between SuperCard X and the open-source NFCGate tool, as well as another Android malware called NGate. This type of attack represents a significant escalation in fraud capabilities, extending beyond the usual targets of banking institutions to directly impact payment providers and card issuers.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • The DefendOps Diaries: Explore SuperCard X, a sophisticated mobile malware using NFC relay attacks and minimal permissions to evade detection.
  • Cyber Security News: New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • gbhackers.com: New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • BleepingComputer: New Android malware steals your credit cards for NFC relay attacks
  • cybersecuritynews.com: CyberscurityNews reports New Android SuperCard X Malware Employs NFC-Relay Technique for Fraudulent POS & ATM Withdrawals
  • www.cleafy.com: Cleafy Labs reports SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
  • Secure Bulletin: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • securebulletin.com: SuperCard X: exposing a MaaS for NFC Relay fraud operation
  • www.bleepingcomputer.com: New Android malware steals your credit cards for NFC relay attacks
  • BleepingComputer: A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data.
  • bsky.app: Talkback Threat Summary for Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions
  • securityaffairs.com: New sophisticate malware SuperCard X targets Androids via NFC relay attacks
  • The Hacker News: SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks
  • www.scworld.com: Novel SuperCard X MaaS platform leveraged for payment card compromise
  • ciso2ciso.com: New sophisticate malware SuperCard X targets Androids via NFC relay attacks – Source: securityaffairs.com
Classification:
  • HashTags: #AndroidMalware #NFCrelay #FinancialFraud
  • Company: Cleafy
  • Target: Android users
  • Product: Android
  • Feature: NFC relay attacks
  • Malware: SuperCard X
  • Type: Malware
  • Severity: Major
Pierluigi Paganini@securityaffairs.com //
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
Classification:
@The DefendOps Diaries //
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
  • Sam Bent: Triada Malware Preloaded on Counterfeit Androids Hijacks 2,600+ Devices for Crypto Theft and Espionage
  • www.scworld.com: Updated Triada trojan compromises thousands of Android devices
  • securityaffairs.com: New Triada Trojan comes preinstalled on Android devices
  • The Hacker News: Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
  • Cyber Security News: Trinda Malware Infects Android Devices to Manipulate Phone Numbers During Calls
  • Cyber Security News: New Triada Malware Attacking Android Devices to Replaces Phone Numbers During Calls
  • www.techradar.com: Dodgy Android smartphones are being preloaded with Triada malware
Classification: