New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.
The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.
After tricking victims with a fake verification screen to place the cards near the mobile device’s near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.
The malware steals the card number, type, expiry date, and a 4-digit PIN entered by the victim under the pretense of a security step, and exfiltrates it to the attacker’s command-and-control (C2) host over a WebSocket channel.
The information collected this way can then be used in NFC payment relay schemes, as documented in the NGate, SuperCard X, and RelayNFC malware attacks.
Source: D3Lab
NFCShare was first documented by D3Lab researchers in January 2026, who have been tracking its activity and evolution.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that exploit NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details.
Draghetti noted, though, that it could still be an evolution of the same ecosystem, driven by the same threat actors.
Recent NFCShare attacks observed starting May 14 begin with the victim visiting a phishing site that impersonates a real bank and asks for banking credentials.
Victims are then urged to update their banking app and are redirected to a GitHub repository hosting a malicious APK file.
Source: D3Lab
The researchers note that SMS messages or phone calls from fake bank representatives may also be used as part of the social-engineering process, as seen in similar attacks, although D3Lab researchers did not observe these methods directly.
Since its creation on April 10, the GitHub repository used for distributing NFCShare has hosted 56 unique APKs that impersonated mobile apps for banks primarily from Italy and Spain:
- Intesa Carte.apk
- Sella Carte.apk
- Banca Sella Carte.apk
- Nexi Carte.apk
- Fideuram Carte.apk
- Mooney Carte.apk
- CaixaBank.apk
- CaixaBankNfc.apk
- CaixaReactivaTarjeta.apk
In January, D3Lab reported that the malware targeted only Deutsche Bank in Germany, which may suggest an extended targeting scope.
One interesting aspect of the new version of the malware is the introduction of malformed APK packaging to hinder automated analysis, and potentially also security tools.
The APK is still a ZIP archive, but the newer samples include poisoned/malformed file paths within that ZIP, causing some extraction tools to wrongly interpret internal relative paths as filesystem paths and trigger errors.
However, D3Lab notes that this trick does not prevent manual analysis or code recovery; rather, it disrupts static analysis in certain tools.
Android users are advised to source banking apps only from Google Play, enable Play Protect, and be cautious of “verification requests” that prompt NFC card scans.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
