NFCShare Android malware is being distributed through fake updates for legitimate banking apps, with malicious APK files hosted on GitHub in a campaign targeting bank customers across Europe. The twist, as ever, is how convincingly ordinary the attack chain looks to anyone who isn’t already suspicious.
According to BleepingComputer, the campaign begins when a victim visits a phishing site impersonating a genuine bank and enters their banking credentials. They are then told to update their banking app and redirected to a GitHub repository serving a malicious APK file. SMS messages or phone calls from fake bank representatives may also be used in the social-engineering process, though D3Lab researchers note they did not directly observe those methods in this campaign.
How NFCShare Steals Card Data
Once installed, the malware presents victims with a fake verification screen instructing them to hold their payment card against their phone. Behind that screen, NFCShare reads card data using Android’s IsoDep interface and EMV commands. It captures the card number, card type, expiry date, and a four-digit PIN entered by the victim under the pretence of a security step.
All of that information is then exfiltrated to the attacker’s command-and-control (C2) server over a WebSocket channel. The stolen data can be used in NFC payment relay schemes, the same technique documented in the NGate, SuperCard X, and RelayNFC malware attacks.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite surface-level similarities to other Android malware exploiting NFC chips, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti noted, however, that it could still be an evolution of the same ecosystem, driven by the same threat actors.
Targeting Banks in Italy and Spain
NFCShare was first documented by D3Lab researchers in January 2026. Recent variants, observed starting 14 May, reflect a broadened targeting scope. The GitHub repository used to distribute the malware was created on 10 April and has since hosted 56 unique APKs impersonating mobile banking apps, primarily for Italian and Spanish institutions.
The APK filenames in the repository include Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta. In January, D3Lab had reported that the malware targeted only Deutsche Bank in Germany, which suggests the campaign has expanded its reach considerably since its early days.
Obfuscation to Slow Down Analysts
One development in the newer NFCShare samples is the introduction of malformed APK packaging. An APK is, at its core, a ZIP archive, and the newer variants include poisoned or malformed file paths inside that archive. Certain extraction tools misinterpret these internal relative paths as filesystem paths and throw errors, disrupting automated and static analysis.
D3Lab is clear that the trick does not prevent manual analysis or code recovery. It is an inconvenience aimed at automated pipelines, not a hard stop for a determined analyst. Even so, it adds friction to the detection process, which is presumably the point.
What Android Users Should Do
The advice here is not new, but it bears repeating: source banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking you to scan a payment card with your phone’s NFC chip as an immediate red flag. No legitimate bank verification flow requires you to hover your Visa over the back of your handset.
D3Lab has been tracking NFCShare’s activity and evolution since its initial documentation, and the shift from a single German bank target to a slate of Italian and Spanish institutions in just a few months suggests this campaign is still very much in active development.
