New variants of the NFCShare Android malware have emerged, cleverly disguised as fake updates for legitimate banking applications hosted on GitHub. This evolution of the malware is now targeting customers of various banks and financial institutions across Europe, engaging in a phishing campaign designed to pilfer sensitive payment card data.
Mechanics of the Attack
Once victims are ensnared by a fraudulent verification screen, they are prompted to place their cards near the near-field communication (NFC) chip of their mobile devices. Utilizing Android’s IsoDep interface and EMV commands, NFCShare adeptly reads the card information. This includes the card number, type, expiry date, and a 4-digit PIN entered by the victim under the guise of a security measure. The stolen data is then exfiltrated to the attacker’s command-and-control (C2) host via a WebSocket channel.
The information harvested in this manner can be exploited in NFC payment relay schemes, similar to those documented in previous malware attacks such as NGate, SuperCard X, and RelayNFC.
Source: D3Lab
Initially documented by D3Lab researchers in January 2026, NFCShare has been under continuous observation for its activity and evolution. D3Lab researcher Andrea Draghetti shared insights with BleepingComputer, noting that while NFCShare bears resemblance to other Android malware that exploits NFC chips for data theft, it possesses unique code, libraries, architecture, and implementation details. Draghetti speculated that it might still represent an evolution within the same ecosystem, driven by the same threat actors.
Recent Developments
Recent attacks attributed to NFCShare, which began on May 14, typically commence with victims visiting a phishing site masquerading as a legitimate bank, where they are prompted to enter their banking credentials. Following this, victims are urged to update their banking app and are redirected to a GitHub repository hosting a malicious APK file.
Source: D3Lab
Researchers have observed that SMS messages or phone calls from counterfeit bank representatives may also play a role in the social-engineering tactics employed, although D3Lab has not directly witnessed these methods in action. Since its inception on April 10, the GitHub repository used for distributing NFCShare has hosted 56 unique APKs, impersonating mobile applications for banks primarily located in Italy and Spain, including:
- Intesa Carte.apk
- Sella Carte.apk
- Banca Sella Carte.apk
- Nexi Carte.apk
- Fideuram Carte.apk
- Mooney Carte.apk
- CaixaBank.apk
- CaixaBankNfc.apk
- CaixaReactivaTarjeta.apk
In January, D3Lab reported that the malware had initially targeted only Deutsche Bank in Germany, indicating a potential expansion of its targeting scope.
Technical Innovations
An intriguing aspect of the latest version of the malware is the implementation of malformed APK packaging, designed to complicate automated analysis and potentially thwart security tools. While the APK remains a ZIP archive, the newer samples feature poisoned or malformed file paths within that ZIP. This causes certain extraction tools to misinterpret internal relative paths as filesystem paths, resulting in errors. However, D3Lab clarifies that this tactic does not obstruct manual analysis or code recovery; rather, it disrupts static analysis in specific tools.
In light of these developments, Android users are strongly advised to obtain banking applications exclusively from Google Play, enable Play Protect, and remain vigilant against “verification requests” that solicit NFC card scans.
