NFCShare Android malware spreads via fake banking app updates on GitHub

New versions of the NFCShare Android malware are being distributed as fake updates of legitimate banking apps hosted on GitHub.

The malware has evolved and is now targeting customers of many banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.

After tricking victims with a fake verification screen into placing cards near a mobile device’s Near-field Communication (NFC) chip, NFCShare reads the information using the Android IsoDep interface and EMV commands.

The malware steals the card number, type, expiration date, and 4-digit PIN entered by the victim under the guise of a security measure, and sends it to the attacker’s command-and-control (C2) host via a WebSocket channel.

Information collected in this way can be used in NFC payment transmission systems, as documented in the NGate, SuperCard X, and RelayNFC attacks.

NFCShare was first documented by D3Lab researchers in January 2026, who have been tracking its activity and evolution.

D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that use NFC chips to steal data, NFCShare uses different code, libraries, architecture, and implementation details.

Draghetti noted, however, that it could still be the evolution of the same ecosystem, driven by the same threat actors.

The latest NFCShare attack seen since May 14 begins with a victim visiting a phishing site posing as a real bank and requesting bank details.

Victims are then prompted to update their banking app and redirected to a GitHub directory that hosts the malicious APK file.

Researchers note that SMS messages or phone calls from fake bank representatives can also be used as part of the social engineering process, as seen in similar attacks, although D3Lab researchers did not directly observe these methods.

Since its creation on April 10, the GitHub repository used to distribute NFCShare has hosted 56 different APKs that make non-banking mobile apps primarily from Italy and Spain:

• Intesa Carte.apk
• Sella Carte.apk
• Banca Sella Carte.apk
• Nexi Carte.apk
• Fideuram Carte.apk
• Mooney Carte.apk
• CaixaBank.apk
• CaixaBankNfc.apk
• CaixaReactivaTarjeta.apk

In January, D3Lab reported that the malware only targeted Germany’s Deutsche Bank, which could suggest the scope of the targeting mentioned.

One interesting feature of the new version of the malware is the introduction of poor APK packaging to prevent automatic analysis, as well as possible security tools.

The APK is still a ZIP archive, but the new samples include toxic/malicious file paths within that ZIP, which causes some extraction tools to misinterpret related internal paths as file system paths and trigger errors.

However, D3Lab notes that this strategy does not prevent manual analysis or code discovery; rather, it interferes with static analysis in certain tools.

Android users are advised to only get banking apps from Google Play, enable Play Protect, and be aware of “verification requests” prompting for NFC card scanning.