New variants of NFCShare Android malware are being distributed through a GitHub repository hosting fake updates for legitimate banking applications, with attackers targeting customers across Europe in a campaign designed to steal payment card data and PINs. The operation is polished enough that victims may not suspect anything until their card details are already being relayed to a remote server.
How the NFCShare Android Malware Attack Works
The attack chain begins when a victim lands on a phishing site impersonating a real bank and hands over their banking credentials. They are then told to update their banking app and redirected to a GitHub repository hosting a malicious APK file. BleepingComputer reports that SMS messages or calls from fake bank representatives may also feature in the social-engineering process, though D3Lab researchers did not observe those methods directly in the current wave.
Once installed, the malware presents victims with a fake verification screen, prompting them to hold their payment card near the device’s NFC chip. NFCShare reads the card data using Android’s IsoDep interface and EMV commands, capturing the card number, card type, and expiry date. The victim is also asked to enter a 4-digit PIN under the pretence of a security step. All of it is exfiltrated to the attacker’s command-and-control (C2) server over a WebSocket channel.
The harvested data feeds into NFC payment relay schemes, where attackers use the stolen card credentials to make contactless payments or withdrawals elsewhere. D3Lab note this technique is consistent with methods documented in the NGate, SuperCard X, and RelayNFC malware attacks.
Targeting, Evolution and Anti-Analysis Tricks
NFCShare was first documented by D3Lab researchers in January 2026, when it was observed targeting Deutsche Bank customers in Germany. The scope has since widened considerably. The GitHub repository used for distribution was created on 10 April and has hosted 56 unique APKs impersonating mobile apps for banks primarily in Italy and Spain, including Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, and several CaixaBank variants.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware exploiting NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti noted it could still be an evolution of the same ecosystem, potentially driven by the same threat actors, though that remains unconfirmed.
The campaign observed from 14 May onward introduced a new wrinkle: malformed APK packaging intended to disrupt automated analysis. The APK files remain standard ZIP archives underneath, but newer samples include deliberately poisoned or malformed file paths within the archive. Some extraction tools misinterpret these internal relative paths as filesystem paths and throw errors, which can trip up static analysis workflows and potentially confuse security tooling. D3Lab are clear that the trick does not prevent manual analysis or code recovery, it is an inconvenience for automated scanners rather than a hard barrier for determined analysts.
The anti-analysis feature is worth watching. As defenders lean more heavily on automated scanning pipelines, adversaries are increasingly building friction into their payloads at the packaging layer, before any code even executes.
What Android Users Should Do
The advice from researchers is straightforward. Source banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app or website prompt asking you to scan your payment card via NFC as a red flag. Legitimate banks do not verify your identity by having you wave your card at your phone.
NFCShare Android malware is still an active and developing threat: 56 APKs across a repository less than two months old is a meaningful tempo, and the targeting scope has already expanded once from a single country to two. D3Lab have said they will continue tracking its activity and evolution.
