NFCShare Android malware is circulating in a new wave of attacks, distributed as fake updates for legitimate banking apps hosted on GitHub and targeting bank customers across Europe in a campaign designed to steal payment card data via NFC relay.
The malware tricks victims into visiting a phishing site that impersonates a real bank and requests banking credentials. From there, victims are told their banking app needs updating and redirected to a GitHub repository hosting a malicious APK file. Once installed, the app presents a fake verification screen and instructs the victim to hold their payment card near their device’s NFC chip.
Behind that screen, NFCShare reads card data using Android‘s IsoDep interface and EMV commands. It captures the card number, card type, expiry date, and a 4-digit PIN entered by the victim under the guise of a security step, then exfiltrates everything to the attacker’s command-and-control server over a WebSocket channel. That package of data is exactly what’s needed to conduct NFC payment relay attacks, the same scheme documented in the NGate, SuperCard X, and RelayNFC malware cases.
From Germany to Italy and Spain: NFCShare’s Expanding Target List
NFCShare was first documented by D3Lab researchers in January 2026, when it was targeting Deutsche Bank customers in Germany. The current campaign suggests a considerably expanded targeting scope. Since the GitHub repository used for distribution was created on 10 April, it has hosted 56 unique APKs impersonating banking apps, the majority aimed at Italian and Spanish institutions.
The APK names in the repository include Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, Mooney Carte, and three CaixaBank variants, CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta. The most recent attacks observed by D3Lab began on 14 May.
SMS messages or phone calls from fake bank representatives may also feature in the social-engineering process, consistent with similar campaigns, though D3Lab’s researchers did not directly observe those methods in this particular wave.
NFCShare Android Malware Adds Anti-Analysis Tricks
One of the more technically interesting developments in the newer samples is the introduction of deliberately malformed APK packaging. An APK is, at its core, a ZIP archive, and the updated NFCShare variants include poisoned or malformed file paths inside that archive. Certain extraction tools misread these internal relative paths as filesystem paths and throw errors, disrupting automated static analysis.
D3Lab is clear-eyed about the limits of this trick: it does not prevent manual analysis or code recovery. It is an obstacle for automated tooling, not a hard barrier for a determined analyst. But it does suggest the developers are actively working to slow down detection pipelines, which is a reasonable concern for any security team relying heavily on automated scanning.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite surface similarities to other Android malware exploiting NFC chips for data theft, NFCShare uses ‘distinct code, libraries, architecture, and implementation details.’ Draghetti did note, though, that it could still represent an evolution of the same broader ecosystem, driven by the same threat actors behind related NFC-relay malware families.
For Android users, the practical guidance is straightforward: source banking apps exclusively from Google Play, keep Play Protect enabled, and treat any in-app prompt asking you to scan a payment card near your phone with immediate suspicion. A bank’s legitimate app will never ask you to do that as a verification step. Whether that message arrives via a slick phishing page, a convincing SMS, or a voice call, the card-to-phone NFC prompt is the tell.
