New Android Warning — This TOAD Malware Attack Steals Cash From ATMs

Forbes

22-04-2025

Android SuperCard X TOAD attack puts ATM and PoS transactions at risk.
Most Android malware is after one thing: your passwords. That's just the way it is these days, with infostealer malware firmly at the top of the cyber attack tree. Some attacks can lead directly to attacks on your bank balance, as recently detailed in a new report warning of smartphone PIN code threats. Now, it would seem, one group of threat actors has moved things up a gear or two with a complex campaign involving Android malware, a telephone-oriented attack delivery methodology, and, ultimately, the theft of your cash from ATMs.Welcome to the weird and worrying world of SuperCard X TOAD attacks.
Threat intelligence experts Federico Valentini‍, Alessandro Strino and Michele Roviello, from fraud detection platform Cleafy, have reported how a 'new and sophisticated Android malware campaign' called SuperCard X is intercepting and relaying near field communication messages from compromised devices to facilitate fraudulent ATM cash withdrawals. Yes, really. This malware can steal cash from ATMs.
'The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards,' the researchers said, adding that it has demonstrated high success rates when targeting contactless ATM withdrawals.
The attack execution begins with, you guessed it, targeting social engineering tactics. The phishing messages, typically delivered by way of SMS or WhatsApp, use brand impersonation to leverage trust and add the necessary urgency to the fraud. By alerting victims to a suspicious outgoing payment, which is purported to be a bank fraud security alert, the user is prompted to call a support telephone number as a matter of some urgency. This is where the TOAD enters the equation. A telephone-oriented attack delivery allows the fraudsters to manipulate victims directly during phone conversations.
In the case of SuperCard X attacks, that manipulation flows as follows:
The clever bit, assuming all of that social engineering has been successful, is that those card details are relayed in real-time to a second, attacker-controlled Android phone, used to make the contactless ATM withdrawals.
If this threat expands, Randolph Barr, chief information security officer at Cequence, told me, it will likely be due to users falling victim to social engineering and being convinced to disable built-in security protections. Obviously, that's a massive red flag, as no legitimate organization would ever ask you to do such a thing. 'This attack highlights the importance of understanding what an app does before installing or sideloading it,' Barr said while advising that Google Play offers protections against such malicious apps and should be used rather than introducing the risk of sideloading applications from other sources. 'There are ways to recognize and prevent TOAD-style attacks,' Barr concluded, suggesting that validating the legitimacy of any such request before acting on it is a great starting point.
A Google spokesperson confirmed this advice in a statement: 'Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services.'