Author: Gary Behan

New variants of NFCShare Android malware are being distributed through fake updates for legitimate banking apps, with the malicious APK files hosted on GitHub. The campaign has expanded its targeting considerably since the malware was first documented, and now aims at bank customers across multiple European countries. How the NFCShare Android Malware Attack Unfolds Recent attacks observed from 14 May begin with victims landing on a phishing site that impersonates their bank. The site solicits banking credentials, then urges the visitor to install what appears to be an app update, redirecting them to a GitHub repository hosting a malicious APK…

NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with researchers at D3Lab tracking a campaign that has expanded its targeting to banks across Italy and Spain, and potentially beyond. The malware works by tricking victims into placing their payment card near their phone’s near-field communication (NFC) chip. A fake verification screen prompts the action, at which point NFCShare reads card data using Android’s IsoDep interface and EMV commands. It captures the card number, card type, expiry date, and a 4-digit PIN entered by the victim under the guise of a routine security step. All…

NFCShare Android malware is being distributed through fake updates for legitimate banking apps, with malicious APK files hosted on GitHub in a campaign targeting bank customers across Europe. The twist, as ever, is how convincingly ordinary the attack chain looks to anyone who isn’t already suspicious.According to BleepingComputer, the campaign begins when a victim visits a phishing site impersonating a genuine bank and enters their banking credentials. They are then told to update their banking app and redirected to a GitHub repository serving a malicious APK file. SMS messages or phone calls from fake bank representatives may also be used…

New variants of NFCShare Android malware are being distributed through a GitHub repository hosting fake updates for legitimate banking applications, with attackers targeting customers across Europe in a campaign designed to steal payment card data and PINs. The operation is polished enough that victims may not suspect anything until their card details are already being relayed to a remote server. How the NFCShare Android Malware Attack Works The attack chain begins when a victim lands on a phishing site impersonating a real bank and hands over their banking credentials. They are then told to update their banking app and redirected…

NFCShare Android malware is circulating in a new wave of attacks, distributed as fake updates for legitimate banking apps hosted on GitHub and targeting bank customers across Europe in a campaign designed to steal payment card data via NFC relay. The malware tricks victims into visiting a phishing site that impersonates a real bank and requests banking credentials. From there, victims are told their banking app needs updating and redirected to a GitHub repository hosting a malicious APK file. Once installed, the app presents a fake verification screen and instructs the victim to hold their payment card near their device’s…

A new wave of the NFCShare Android malware campaign is distributing fake banking app updates through GitHub, with attackers now setting their sights on customers of banks across Italy, Spain, and broader Europe. The operation steals payment card data by exploiting the NFC chip built into Android handsets, then uses that data in relay attacks to make fraudulent payments.How the NFCShare Android Malware Campaign WorksVictims typically land on a phishing site impersonating a real bank, are prompted to hand over their banking credentials, and are then told they must update their banking app. That supposed update redirects them to a…

NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with new variants now targeting bank customers across Europe in a campaign designed to steal payment card data via NFC chips. The malware tricks victims into placing their payment cards near their device’s NFC chip by presenting a fake verification screen. It then reads card data using Android’s IsoDep interface and EMV commands, harvesting the card number, card type, expiry date, and a four-digit PIN entered by the victim under the guise of a routine security step. All of that information is exfiltrated to the attacker’s…

NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub, with researchers at D3Lab tracking a campaign that has expanded well beyond its original single-bank target to sweep up customers across Italy and Spain, and potentially further into Europe.The mechanics are straightforward, which is part of what makes them effective. A victim lands on a phishing site impersonating a legitimate bank, hands over their banking credentials, and is then told their banking app needs updating. That update redirects them to a GitHub repository hosting a malicious APK. From there, the malware gets to work.How NFCShare Android…

NFCShare Android malware attacks are expanding across Europe, with new variants distributed as counterfeit updates to legitimate banking apps hosted on GitHub, a campaign designed to silently steal payment card data via the NFC chips built into victims’ own phones. How the NFCShare Android Malware Attacks Work The attack chain begins when a victim lands on a phishing site impersonating a real bank and hands over their banking credentials. They are then urged to install an update to their banking app, and redirected to a GitHub repository serving a malicious APK file. D3Lab researchers observed this sequence starting from 14…

NFCShare Android malware is being distributed through fake updates for legitimate banking apps hosted on GitHub, with new variants now targeting customers across Europe in a campaign designed to steal payment card data and PINs via NFC chip interception. The mechanics are straightforward and unpleasant. Victims land on a phishing site impersonating a real bank, hand over their banking credentials, and are then nudged to install what looks like a mandatory app update. That update is a malicious APK file pulled from a GitHub repository. From there, the malware deploys a fake verification screen that instructs the victim to hold…