VMX Labs has been systematically monitoring the adversary associated with the NFC fraud operation in Italy. We have identified indicators of a fraudulent card suspension scheme that relies on NFC relay malware and 3 specific NFC relay tools: SuperCard X, TX-NFC (YH-NFC), and TapPay.
The recent threat intelligence report regarding SuperCard X has effectively unveiled 1 of the 3 malware threats within this adversary’s arsenal. In light of this disclosed information, we anticipate that the threat actor will begin utilizing the remaining two NFC relay malware, potentially targeting bank customers in its primarily focused regions: Italy and Spain.
Initially, we identified the following applications within the adversary’s infrastructure, which included the preliminary Verifica Carta malware samples generated by repackaging the original SuperCard X application.
App Name |
Filename |
Package ID |
|---|---|---|
| SuperCard X | cccccc.apk | io.dxpay.remotenfc.supercard |
| CYH发送 | card.apk | com.bobby.nfccardscanner |
| TapScan | CARTA1.apk | com.dream.remotenfc |
| Verifica Carta | app1.apk | io.dxpay.remotenfc.supercard1 |
| Verifica Carta | Carta.apk | io.dxpay.remotenfc.supercard11 |
Table 1: Initial Findings
Our analysis identified subsequent distribution websites associated with two Verifica Carta malware variants, which were modified versions of SuperCard X. Among the 3 malware options, SuperCard X was the preferred choice.
App Name |
Filename |
Package ID |
|---|---|---|
| Verifica Carta | VerificaCarta.apk | io.dxpay.remotenfc.supercard11 |
| Verifica Carta | Verifica.apk | io.dxpay.remotenfc.supercard11 |
Table 2: Samples in distribution
TX-NFC & TapPay malware
Chinese Malware-as-a-Service (MaaS) solutions for NFC relay fraud (a.k.a. Ghost Tap)
Our investigation has linked the CYH发送 (CYH-Send) Android application to a highly active Telegram channel with a membership exceeding 20,000 users.
The application was recently rebranded from YH-NFC to TX-NFC. TX-NFC offers 4 subscription tiers, priced at $59 per day, $159 for three days, $239 per week, and $599 monthly, making it readily accessible to cybercriminals. All subscription packages include 24-hour availability and customer support, promising compatibility across most Android devices.
The TX-NFC malware samples are packed with Jiagu 360, an infamous Chinese packer, to evade detection and protect against analysis. However, some antivirus (AV) companies automatically mark Jiagu-packed applications as potentially unwanted programs (PUPs).
The TapPay Android application is also distributed via Telegram within a smaller community of over 200 members.
Its subscription pricing structure—$15 for 3 hours, $35 per day, $150 per week, $260 for 15 days, and $360 per month—further enhances its accessibility for illicit activities. It provides discounted pricing for multiple account subscriptions and offers exclusive server access at a premium rate. The TapPay malware samples are packed with Bangcle (SecShell) packer.
Our research suggests that SuperCard X malware was preferred for its ease of repackaging. Unlike the other two NFC-relay malware variants, SuperCard X lacked protective mechanisms.
The remaining 2 malware samples are protected by basic packers, which are known to be ineffective and can be unpacked. Now that SuperCard X has been exposed, the threat actor will likely pivot to deploying the other 2 malware variants.
Video 1: TX-NFC (YH-NFC) promotion video
Indicator of Compromise (IOC) List
Indicator |
Type |
Description |
|---|---|---|
| 3f39044c146a9068d1a125e1fe7ffc3f2e029593b75610ef24611aadc0dec2de | SHA256 | cccccc.apk [original:SuperCard_Card_Reader.apk] |
| api.payforce-x.com | Domain | Cccccc’s C2 |
| c741047bebd677db945ddb204629fe12d8112dac52dfd8010057aab6314d42c1 | SHA256 | card.apk [original:CYH版本2-料方.apk] |
| syhcyh.com | Domain | Card’s C2 |
| a3dc07ba191eb5f98682b01018ac42074868ba6fa6876e09083f1f3b574844d8 | SHA256 | CARTA1.apk [original:TapPay-料方-至尊版.apk] |
| 178.157.63.209:49999 | IP:PORT | CARTA1’s C2 |
| b7bd2167da0059bbb3e96325c7a36393b3cccdcf628c5d8c6639ef0274e341ab | SHA256 | app1.apk |
| api.kingcardnfc.com | Domain | App1’s C2 |
| 28bbdf5d51a8bce4b97ad1824116dff81f7e99aabf1cc63f816aedb57e9205fd | SHA256 | Carta.apk |
| api.kingcardnfc.com | Domain | Carta’s C2 |
| 4173b189e537b66cbb1ba62e67e095fa755db97b00904055153d0bf0ae545224 | SHA256 | VerificaCarta.apk |
| api.kingcardnfc.com | Domain | VerificaCarta’s C2 |
| 2c6b914f9e27482152f704d3baea6c8030da859c9f5807be4e615680f93563a0 | SHA256 | Verifica.apk |
| api.kingcardnfc.com | Domain | Verifica’s C2 |
| 282156d15c07da7aecf15fb7d1744a1283e8a3f5bb055815ba8108ede0ace588 | SHA256 | TX-NFC-C.apk |
| txnfc.com | Domain | TX-NFC-C’s C2 |
| yhnfc.com | Domain | YH-NFC’s C2 |
SparkKitty: A Silent Threat in ‘Trusted’ Apps