NFCShare Android malware attacks are expanding across Europe, with new variants distributed as counterfeit updates to legitimate banking apps hosted on GitHub, a campaign designed to silently steal payment card data via the NFC chips built into victims’ own phones.
How the NFCShare Android Malware Attacks Work
The attack chain begins when a victim lands on a phishing site impersonating a real bank and hands over their banking credentials. They are then urged to install an update to their banking app, and redirected to a GitHub repository serving a malicious APK file. D3Lab researchers observed this sequence starting from 14 May. SMS messages or phone calls from fake bank representatives may also form part of the social-engineering process, as seen in similar campaigns, though D3Lab researchers did not observe those methods directly in this wave.
Once installed, the malware presents what looks like a card-verification screen. According to CyberPress, this screen is built from a local HTML and JavaScript interface loaded inside a WebView, a technique that lends it a convincing, browser-like appearance inside the app. The victim is prompted to hold their payment card near the device’s NFC chip.
From there, NFCShare reads card data using Android’s IsoDep interface and EMV commands, harvesting the card number, card type, expiry date, and a four-digit PIN the victim enters under the pretence of a security step. All of it is exfiltrated to an attacker-controlled command-and-control (C2) server over a WebSocket channel. That combination of card data and PIN is precisely what’s needed to conduct NFC payment relay attacks, the same approach documented in the NGate, SuperCard X, and RelayNFC malware families.
56 Fake APKs, Mostly Targeting Italian and Spanish Banks
The GitHub repository used to distribute NFCShare was created on 10 April and has, since then, hosted 56 unique APKs impersonating mobile apps for banks primarily in Italy and Spain. The list includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta.
The malware’s targeting scope appears to have widened considerably. When D3Lab first documented NFCShare in January 2026, it was targeting only Deutsche Bank customers in Germany. The shift to multiple Italian and Spanish institutions suggests a deliberate expansion, though D3Lab researcher Andrea Draghetti noted that the full picture of who is operating it is not yet clear.
Despite surface similarities to other Android NFC-exploiting malware, Draghetti told BleepingComputer that NFCShare uses distinct code, libraries, architecture, and implementation details. He acknowledged, however, that it could still be an evolution of the same ecosystem, driven by the same threat actors as those behind related families.
One technical wrinkle in the newer samples is worth noting. The APK files, which are standard ZIP archives under the hood, now include malformed or poisoned file paths within the archive. Some extraction tools misinterpret those internal relative paths as filesystem paths and throw errors, disrupting automated static analysis. D3Lab is clear that this trick does not prevent manual analysis or code recovery (it’s an inconvenience for tooling, not an impenetrable wall) but it does raise the barrier for quick automated triage.
What Android Users Should Do
The advice from researchers is straightforward. Only install banking apps from Google Play, keep Play Protect enabled, and treat any in-app prompt asking you to hold a payment card near your phone’s NFC chip with immediate suspicion. Legitimate banks do not verify your identity by reading your contactless card through a freshly downloaded APK from a GitHub link.
D3Lab says it will continue tracking NFCShare’s activity and evolution as the campaign develops.
