NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with new variants now targeting bank customers across Europe in a campaign designed to steal payment card data via NFC chips.
The malware tricks victims into placing their payment cards near their device’s NFC chip by presenting a fake verification screen. It then reads card data using Android’s IsoDep interface and EMV commands, harvesting the card number, card type, expiry date, and a four-digit PIN entered by the victim under the guise of a routine security step. All of that information is exfiltrated to the attacker’s command-and-control server over a WebSocket channel.
How the NFCShare Attack Chain Works
Recent NFCShare attacks observed from 14 May onward begin with a phishing site that impersonates a legitimate bank and solicits the victim’s banking credentials. The victim is then urged to install an update to their banking app and redirected to a GitHub repository hosting a malicious APK file. D3Lab researchers note that SMS messages or phone calls from fake bank representatives may also form part of the social-engineering process, as seen in similar campaigns, though D3Lab did not directly observe those methods in these specific attacks.
The GitHub repository used to distribute the malware was created on 10 April and has since hosted 56 unique APKs impersonating mobile banking apps, predominantly for banks in Italy and Spain. The list includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, and several CaixaBank variants. When D3Lab first documented NFCShare in January 2026, the malware was targeting only Deutsche Bank customers in Germany, suggesting the campaign’s targeting scope has widened considerably since then.
NFCShare Android Malware’s Evasion Tricks
One of the more interesting additions in the newer version is deliberately malformed APK packaging intended to disrupt automated analysis. APK files are, at their core, ZIP archives, and the newer samples contain poisoned or malformed file paths within that archive. Certain extraction tools misread these as filesystem paths and throw errors, which can confuse static analysis pipelines and, potentially, some security tooling. D3Lab is clear, though, that the trick does not prevent manual analysis or code recovery, it is an obstacle, not a wall.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite surface similarities to other Android malware exploiting NFC chips, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti did leave the door open on provenance, noting it could still be an evolution of the same broader ecosystem, possibly driven by the same threat actors behind related campaigns.
The stolen card data is suited to NFC payment relay attacks, a technique documented in the NGate, SuperCard X, and RelayNFC malware families. In a relay scheme, the attacker uses the intercepted card credentials to authorise contactless payments or cash withdrawals without ever physically possessing the card.
What Android Users Should Do
The advice from D3Lab is straightforward. Android users should install banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking them to hold a payment card near their phone with immediate suspicion. Legitimate banks do not verify customers by scanning NFC card data through an app update.
The campaign underlines a broader pattern: hosting malicious payloads on reputable platforms like GitHub lends an air of legitimacy that phishing domains alone cannot. When the download appears to come from a trusted code-hosting service, victims and even some security tools are less likely to raise an eyebrow. NFCShare’s authors appear to be banking on exactly that assumption.
