NFCShare Android malware is being distributed through fake updates for legitimate banking apps hosted on GitHub, with new variants now targeting customers across Europe in a campaign designed to steal payment card data and PINs via NFC chip interception.
The mechanics are straightforward and unpleasant. Victims land on a phishing site impersonating a real bank, hand over their banking credentials, and are then nudged to install what looks like a mandatory app update. That update is a malicious APK file pulled from a GitHub repository. From there, the malware deploys a fake verification screen that instructs the victim to hold their payment card near the phone’s NFC chip. Using Android’s IsoDep interface and EMV commands, the app reads the card silently in the background.
What it collects: card number, card type, expiry date, and a four-digit PIN that the victim enters voluntarily, believing it to be a security step. All of it is exfiltrated to the attacker’s command-and-control (C2) server over a WebSocket channel. That data can then be used in NFC payment relay schemes, the same technique documented in the NGate, SuperCard X, and RelayNFC malware attacks.
How NFCShare Android Malware Has Evolved Since January
D3Lab researchers first documented NFCShare in January 2026, initially observing it targeting only Deutsche Bank customers in Germany. The more recent campaign, with attacks observed starting 14 May, has expanded its scope considerably. Since 10 April, the GitHub repository used for distribution has hosted 56 unique APKs impersonating banking apps, with targets primarily in Italy and Spain. The list of impersonated apps includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that exploits NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti noted, though, that it could still be an evolution of the same ecosystem, driven by the same threat actors. The distinction matters for defenders trying to attribute and block campaigns: a shared ecosystem does not necessarily mean shared infrastructure or tooling.
The social engineering component is layered. Phishing sites form the primary entry point, but D3Lab notes that SMS messages or calls from fake bank representatives may also be used to push victims toward installing the malicious APK. The researchers did not directly observe these methods in the current campaign, but they have featured in similar attacks and are consistent with the broader playbook.
Malformed APK Packaging Complicates Automated Detection
One technical wrinkle in the newer samples is worth flagging. The APKs, which are structurally ZIP archives, now include malformed or poisoned file paths within that ZIP. Certain extraction tools misread the internal relative paths as filesystem paths and throw errors, which disrupts static analysis. D3Lab is clear that this does not prevent manual analysis or code recovery, it is an anti-automation trick, not an impenetrable shield. But it does raise the bar for any security tooling that relies on automated unpacking as a first pass.
For Android users, the guidance is direct: install banking apps only from Google Play, keep Play Protect enabled, and treat any in-app request to scan a payment card via NFC as a red flag. Legitimate banks do not verify identity by asking customers to tap their card to a phone mid-session. That particular prompt, however convincingly dressed up, is the attack.
