NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with researchers at D3Lab tracking a campaign that has expanded its targeting to banks across Italy and Spain, and potentially beyond.
The malware works by tricking victims into placing their payment card near their phone’s near-field communication (NFC) chip. A fake verification screen prompts the action, at which point NFCShare reads card data using Android’s IsoDep interface and EMV commands. It captures the card number, card type, expiry date, and a 4-digit PIN entered by the victim under the guise of a routine security step. All of that data is then sent to the attacker’s command-and-control (C2) server over a WebSocket channel.
Once collected, the information can be used in NFC payment relay schemes, the same technique documented in the NGate, SuperCard X, and RelayNFC malware attacks.
How the NFCShare Android Malware Campaign Operates
Attacks observed from 14 May onwards begin with a phishing site impersonating a legitimate bank, asking victims for their banking credentials. Victims are then told they need to update their banking app and are redirected to a GitHub repository hosting a malicious APK file. D3Lab researchers note that SMS messages or phone calls from fake bank representatives may also be used as part of the social-engineering process, though they did not directly observe those methods in this campaign.
The GitHub repository used for distribution was created on 10 April and has since hosted 56 unique APKs, each impersonating a mobile app for a bank or financial service. The list of impersonated apps includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, and Mooney Carte for Italian targets, alongside CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta for Spanish ones.
D3Lab first documented NFCShare in January 2026, when the malware was targeting only Deutsche Bank in Germany. The expansion to Italian and Spanish financial institutions suggests a broadening of the threat actors’ scope.
A Distinct Threat, With Familiar Echoes
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite surface similarities to other Android malware that exploits NFC chips, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti noted it could still be an evolution of the same ecosystem, driven by the same threat actors, though that remains an open question rather than a confirmed finding.
One change in the newer variants is the introduction of malformed APK packaging. The APK remains a ZIP archive at its core, but newer samples include poisoned or malformed file paths within that archive. Certain extraction tools misinterpret internal relative paths as filesystem paths and throw errors as a result. D3Lab is clear that this technique does not prevent manual analysis or code recovery, it is aimed at disrupting static analysis in automated tooling, which could help the malware slip past some detection systems during initial screening.
The move is worth noting not because it is some insurmountable barrier, but because it reflects ongoing effort on the part of whoever is maintaining NFCShare to keep it functional against automated defences. Malware that actively evolves its packaging alongside its targeting is more persistent than a one-and-done tool.
For Android users, the advice from researchers is straightforward: source banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking you to hold a payment card near your phone with deep suspicion. No legitimate bank app will ask you to scan your card via NFC as a verification step. That specific request is the tell.
