NFCShare Android malware is now being distributed through fake banking app updates hosted on GitHub, with new variants targeting customers of multiple banks and financial institutions across Europe in a campaign designed to steal payment card data via NFC.
The malware tricks victims into holding their payment card near their phone’s near-field communication (NFC) chip by presenting a fake verification screen. Once the card is in range, NFCShare reads the data using Android’s IsoDep interface and EMV commands, harvesting the card number, card type, expiry date, and a four-digit PIN that the victim enters under the pretence of a routine security step. All of it is then exfiltrated to an attacker-controlled command-and-control (C2) server over a WebSocket channel.
That stolen data can subsequently be used in NFC payment relay schemes, a technique already documented in connection with the NGate, SuperCard X, and RelayNFC malware families.
How the NFCShare Android Malware Attack Chain Works
Attacks observed starting 14 May follow a consistent pattern. A victim lands on a phishing site impersonating a legitimate bank and is prompted for their banking credentials. They are then told their banking app needs updating and redirected to a GitHub repository hosting a malicious APK file. D3Lab researchers note that SMS messages or phone calls from fake bank representatives may also be woven into the social-engineering process, as seen in comparable campaigns, though D3Lab did not observe those methods directly in this particular wave.
The GitHub repository used to distribute the malware was created on 10 April and has hosted 56 unique APKs since then, each impersonating mobile apps for banks primarily in Italy and Spain. The list includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta.
That targeting scope looks to have widened over time. When D3Lab first documented NFCShare in January 2026, the malware was aimed solely at Deutsche Bank customers in Germany, which may suggest a deliberate expansion of geographic and institutional targets.
Obfuscation Tricks and the Question of Shared Origins
One of the more technically interesting developments in recent NFCShare samples is the introduction of malformed APK packaging. The APK file is, at its core, still a ZIP archive, but newer samples include deliberately corrupted or malformed file paths within that archive. The effect is that some automated extraction tools misinterpret internal relative paths as filesystem paths and throw errors, disrupting static analysis. D3Lab is clear, however, that this trick does not block manual analysis or code recovery, it is an inconvenience for tooling, not an insurmountable barrier for a determined researcher.
The question of where NFCShare sits in the broader Android NFC-theft ecosystem is one D3Lab researcher Andrea Draghetti addressed directly in comments to BleepingComputer. Despite surface similarities to other Android malware that abuses NFC chips, Draghetti said NFCShare uses distinct code, libraries, architecture, and implementation details. At the same time, Draghetti acknowledged it could still represent an evolution of the same broader ecosystem, potentially driven by the same threat actors operating under a different codebase.
That ambiguity matters for defenders. Whether NFCShare is a wholly independent family or a fork of established tooling, its operators have demonstrated they can iterate quickly: new APK variants, a widened target list, and anti-analysis packaging, all introduced within months of the malware’s first appearance.
For Android users, the practical advice from D3Lab is straightforward. Source banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking you to hold a payment card near your phone with immediate suspicion. A bank will never ask you to scan your card through an NFC verification screen inside a freshly downloaded update.
