NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with researchers at D3Lab tracking a campaign that has expanded well beyond its original single-bank target to sweep up customers across Italy and Spain, and potentially further into Europe.
The mechanics are straightforward, which is part of what makes them effective. A victim lands on a phishing site impersonating a legitimate bank, hands over their banking credentials, and is then told their banking app needs updating. That update redirects them to a GitHub repository hosting a malicious APK. From there, the malware gets to work.
How NFCShare Android Malware Steals Your Card Data
Once installed, NFCShare presents a fake verification screen and instructs the victim to hold their payment card near their phone’s NFC chip. The malware reads the card using Android’s IsoDep interface and EMV commands, capturing the card number, card type, and expiry date. Victims are also asked to enter their PIN under the guise of a security step, and that four-digit code goes straight to the attacker’s command-and-control server over a WebSocket channel.
That combination of card data and PIN opens the door to NFC payment relay schemes, a well-documented class of attack. D3Lab researcher Andrea Draghetti noted parallels to the NGate, SuperCard X, and RelayNFC malware families, all of which have used similar relay techniques. Draghetti told BleepingComputer that NFCShare uses distinct code, libraries, architecture, and implementation details from those families, though he acknowledged it could still be an evolution of the same ecosystem, driven by the same threat actors.
From Deutsche Bank to a Dozen Italian and Spanish Lenders
D3Lab first documented NFCShare in January 2026, when it was targeting customers of Deutsche Bank in Germany. The current campaign, which researchers observed starting 14 May, tells a different story about the malware’s ambitions. The GitHub repository used to distribute the malicious APKs was created on 10 April and has since hosted 56 unique APKs, impersonating apps for a range of banks primarily operating in Italy and Spain.
The list includes Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta. The jump from a single German institution to a broad sweep of southern European lenders in the space of a few months suggests the operators are iterating quickly on their target list.
The social engineering layer can reportedly extend beyond phishing sites. D3Lab notes that SMS messages or phone calls from fake bank representatives may also feature in the attack chain, as seen in similar campaigns, though researchers did not observe these methods directly in the NFCShare operation they analysed.
Malformed APK Packaging Adds an Analytical Wrinkle
One detail worth flagging for security teams is a new anti-analysis technique introduced in recent NFCShare samples. The APK files, which are essentially ZIP archives, now include deliberately malformed or poisoned file paths within that ZIP structure. Certain extraction tools misinterpret these internal relative paths as filesystem paths and throw errors, disrupting automated static analysis.
D3Lab is clear that this does not stop manual analysis or code recovery, a determined analyst can still pull the malware apart. The trick is aimed squarely at automated tooling, potentially including some security products that rely on static inspection of APK contents. It is an incremental hardening of the delivery mechanism, not a fundamental shift in how the malware operates.
What Android Users Should Do
The advice here is fairly standard, but worth repeating given how convincing a well-crafted phishing page can look. Google Play should be the only source for banking apps. Play Protect should be active. And any prompt asking you to scan your payment card as part of a verification step (regardless of how official the surrounding interface looks) should be treated as a red flag. Your bank will not ask you to do that.
