Federico Valentini, Head of Threat Intelligence and Incident Response at Cleafy
As our reliance on mobile payments grows, so does the number of mobile fraud attacks. The Payments Association reported a 10% rise in mobile banking fraud losses in the first half of last year – it’s now at the highest number since their records began in 2015.
This has created a significant challenge for financial services institutions. Last year, banks reimbursed £276 million to customers affected by Authorised Push Payment (APP) scams, in which people are tricked into transferring money to fraudsters.
Mobile banking fraud threat is changing
As we get better at detecting fraud and scams, attackers are upgrading the techniques they employ. So it wasn’t a great surprise when a new malware campaign called SuperCard X appeared in Italy, in April 2025.
Traditional fraud attack approaches rely heavily on social engineering, such as phishing, which convinces people to click on links they expect to be safe, or website spoofing, where users disclose their financial details into a fake but convincing replica website.
However, SuperCard X uses a novel technique, intercepting near field communications (NFC) on compromised devices. It uses social engineering to convince users to install a malicious app which then allows hackers to fraudulently authorise point of sale payments and withdrawals from ATMs.
It’s creating a significant financial risk that extends beyond the traditional targets of banking institutions, to also directly affect payment providers and credit card issuers.
Traditional defences are failing
All malware is generally built from existing software that’s passed around for profit, and SuperCard X is no exception. Initial analysis suggests that it leverages an existing Chinese Malware-as-a-Service (MaaS) platform – and that elements of SuperCard X are already being detected in other malwares.
But SuperCard X is different to the current generation of well-known malwares, with its NFC relay technique representing a significant new hacker capability. It’s an approach that has delivered significant financial reward for the hackers employing it, which means that we’re likely to see much more of this type of threat in the future.
Unfortunately, SuperCard X currently has a very low detection rate amongst antivirus solutions – a low fingerprinting profile. This is because it uses a very narrow range of mobile functionality and, as a result, it uses only standard Android app permissions.
SuperCard X’s use of multiple attack vectors – social engineering, app installation and NFC data collection – also reduces the effectiveness of traditional detection methods.
Better visibility can reduce fraud and friction
With increasing sophisticated fraud attacks like SuperCard X, it’s important that fraud detection starts long before the financial transaction does, and continues throughout the whole user journey.
Many traditional fraud prevention methods operate at the perimeter, and offer limited protection once a session has been successfully authenticated.
In addition, techniques such as aggregated risk scores don’t give visibility into how the risk is assessed, meaning even legitimate transactions can be blocked, often without an explanation, leaving customers and banks in the dark.
It’s why many financial businesses are now investigating new approaches to fraud, turning instead to solutions that provide risk decisions based on a real-time, contextual view of the entire customer journey, using indicators like device integrity, session behaviour, and other signs of malware.
As well as improving fraud detection rates, this approach also improves the user experience. For example, even if a passcode is incorrectly entered, the broader context may still show the session can be trusted, allowing it to proceed securely, preventing the customer from experiencing unnecessary restrictions.
New attacks need new defences
With increasingly sophisticated fraud techniques targeting the growing use of mobile devices for financial transactions, it’s important that our fraud detection and prevention approaches adapt too.
With better visibility comes better security. Customers can continue to transact successfully while also being kept safe from fraud attacks, and financial institutions can significantly reduce the loss and risk associated with mobile banking fraud.
