New Android malware exploits NFC to steal funds instantly

Security experts have raised concerns following the emergence of a new Malware as a Service (MaaS) platform, dubbed "Supercard X," which is actively targeting Android devices by exploiting Near Field Communication (NFC) technologies.

This platform, researchers say, allows illicit actors to instantly access stolen funds, circumventing more traditional fraud detection mechanisms that typically monitor bank transfers.

Supercard X leverages NFC capabilities in smartphones, which are commonly used to facilitate contactless payments by interacting with nearby objects such as payment cards. Industry observers warn that the mechanism by which Supercard X operates could enable cybercriminals to steal money in ways that are harder to track and block compared to historically recognised fraud routes.

Randolph Barr, Chief Information Security Officer at Cequence said "Most of these attacks are currently geo-specific, with early signs pointing to a regional focus. If this threat expands, it will likely be due to users falling victim to social engineering and being convinced to disable built-in security protections—a clear red flag. No legitimate company should ever ask you to lower or remove the security settings on your device."

Cybersecurity analysts identify Asia as a potential hotspot for these threats, given the high proliferation of Android devices in the region.

"There's a particularly high concentration of Android users across Asia, which may increase the risk in that region. This attack highlights the importance of understanding what an app does before installing or sideloading it," according to to Barr.

While the threat remains primarily regional at present, experts emphasise the risk of a broader outbreak if users are not vigilant.

The ability of Android devices to 'sideload' apps—that is, to install applications from outside the official Google Play Store—has long been seen as both a benefit and a security liability.

On the one hand, it provides openness and flexibility to users and developers; on the other hand, it exposes unsuspecting users to potentially harmful software.

Google Play implements several protections, such as app scanning and enforcement of developer policies, to help prevent malicious applications from reaching mainstream users.

However, these safeguards can be bypassed when users download apps from unofficial sources—often at the urging of sophisticated social engineering campaigns.

Barr contrasts the Android ecosystem with Apple's iOS, which imposes stricter controls around NFC functionality and software installation.

"In contrast, iOS devices implement tighter restrictions, particularly around NFC access. While some consider that a limitation, from a security standpoint, it's a valuable control that helps prevent attacks like these," he stated. Such architecture is designed to reduce the risk of arbitrary software gaining access to sensitive device features.

The cybersecurity community advises all smartphone users to remain vigilant for signs of social engineering—attempts by attackers to trick victims into compromising device security. "Ultimately, there are ways to recognize and prevent TOAD-style attacks.

Android users should become more familiar with social engineering red flags—sometimes it's as simple as validating the legitimacy of a request before acting on it," Barr added. TOAD, or Telephone-Oriented Attack Delivery, refers to tactics that seek to socially manipulate targets, commonly via calls or messages, into taking unsafe actions.

In the wake of the Supercard X revelations, cybersecurity professionals urge consumers to never disable device security settings at the prompting of third parties, regularly update their software, and scrutinise all app installation requests. As the line between personal finance and digital access continues to blur, maintaining strict security hygiene remains a crucial defence against emerging threats.