Russia detects first SuperCard malware attacks skimming bank data via NFC
Russian cybersecurity researchers have identified the first domestic data-stealing attacks involving a modified version of legitimate near field communication (NFC) software, in what appears to be a test run for a broader campaign.
The report involves SuperCard, a previously identified malicious variant of the legitimate NFCGate program, originally designed to relay NFC data between two devices in close proximity. Cybercriminals have long abused NFC technology in schemes to siphon funds from victims’ bank accounts.
In previous SuperCard attacks targeting European banks, hackers used compromised Android smartphones to relay data from victims’ physical payment cards to attacker-controlled devices. The stolen data was then used to carry out ATM transactions. If this method failed, the hackers resorted to transferring funds directly from the victims’ bank accounts to other accounts.
Moscow-based cybersecurity firm F6 said in its report on Tuesday that SuperCard was first deployed against Android users in Russia in May, after the malware was initially spotted in Italy in April. Italian security company Cleafy reported that the tool is distributed as malware-as-a-service (MaaS) and is offered by “Chinese-speaking” actors.
Attackers used social engineering techniques to trick victims into downloading SuperCard, disguising it as a legitimate app, F6 said. Once installed, the malware identifies which payment system — Visa, Mastercard, American Express, UnionPay or JCB — is used by the victim, allowing criminals to exploit the data for fraudulent transactions.
What sets SuperCard apart from previous NFCGate-based malware, according to researchers, is its commercial distribution strategy. For the first time, the malware has been openly marketed through Telegram channels — including Chinese-language ones — and sold via subscription plans with customer support. F6 says it was advertised as capable of targeting customers of major banks in the U.S., Australia and Europe.
F6 first observed NFCGate-based attacks — prior to SuperCard’s spread — in Russia in January. Since then, attackers have expanded their toolset with multiple modifications. In the first quarter of 2025, total losses from NFCGate variants in Russia amounted to 432 million rubles (approximately $5.5 million), with over 175,000 Android devices infected, according to F6.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.