A new wave of the NFCShare Android malware campaign is distributing fake banking app updates through GitHub, with attackers now setting their sights on customers of banks across Italy, Spain, and broader Europe. The operation steals payment card data by exploiting the NFC chip built into Android handsets, then uses that data in relay attacks to make fraudulent payments.
How the NFCShare Android Malware Campaign Works
Victims typically land on a phishing site impersonating a real bank, are prompted to hand over their banking credentials, and are then told they must update their banking app. That supposed update redirects them to a GitHub repository hosting a malicious APK file. D3Lab researchers, who first documented NFCShare in January 2026, note that SMS messages or calls from fake bank representatives may also be used to nudge victims along, though D3Lab researchers did not observe those methods directly in the current campaign.
Once installed, the malware presents a fake verification screen instructing the user to hold their payment card near the device. What follows is technically precise: according to GBHackers, NFCShare uses native NFC reader code via android.nfc.tech.IsoDep to issue EMV APDUs, including a PPSE select command, the same low-level protocol a card terminal would use to initiate a transaction. The card number, type, and expiry date are read directly from the chip. The victim is also prompted to enter a four-digit PIN under the guise of a security step, handing over the final piece of data an attacker needs.
All of it (card details and PIN) is exfiltrated to a command-and-control (C2) server over a WebSocket channel. From there, the stolen data can feed NFC payment relay schemes of the kind seen in the NGate, SuperCard X, and RelayNFC attacks.
Rapid Rebuilds and a Widening Target List
The GitHub repository used to distribute the malware was created on 10 April and has, since then, hosted 56 unique APKs impersonating apps for banks including Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta. GBHackers reports that the campaign has pivoted to Italian and broader European banking brands, with an increased frequency of rebuilds observed since 14 May 2026.
That acceleration matters. Each new APK is a fresh opportunity to slip past signature-based detection, and the volume of rebuilds suggests an operation that is actively maintained rather than simply launched and left running. Back in January 2026, D3Lab reported that NFCShare targeted only Deutsche Bank in Germany, the shift to multiple Italian and Spanish institutions represents a considerable widening of scope.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite surface similarities to other Android malware that exploit NFC chips, NFCShare uses distinct code, libraries, architecture, and implementation details. Draghetti noted it could still be an evolution of the same ecosystem, driven by the same threat actors, a hedge worth keeping in mind when drawing lines between these related but separately tracked malware families.
Anti-Analysis Tricks and What They Actually Achieve
Newer NFCShare samples introduce malformed APK packaging designed to disrupt automated analysis. APK files are, at heart, ZIP archives, and the latest variants include poisoned file paths within that ZIP. Certain extraction tools misread internal relative paths as filesystem paths and throw errors, which can interfere with static analysis pipelines and potentially some security tooling.
D3Lab is careful to note the limits of this trick: it does not prevent manual analysis or code recovery. It is an obstacle for automated tooling, not an impenetrable shield, but in an environment where security teams rely heavily on automated scanning, even a partial blind spot is useful to an attacker.
Android users are advised to install banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking them to scan a payment card with NFC as an immediate red flag. Legitimate banks do not verify identity by reading your card’s chip through your phone.
