NFCShare Android malware spreads by way of faux banking app updates on GitHub

New variants of the NFCShare Android malware are being disbursed as faux updates for reputable banking apps hosted on GitHub.

The malware has advanced and is now concentrated on shoppers of more than one banks and fiscal establishments throughout Europe in a phishing marketing campaign aimed toward stealing cost card information.

After tricking sufferers with a pretend verification display to put the playing cards close to the cell software’s near-field conversation (NFC) chip, NFCShare reads the guidelines the usage of Android’s IsoDep interface and EMV instructions.

The malware steals the cardboard quantity, kind, expiry date, and a 4-digit PIN entered by way of the sufferer beneath the pretense of a safety step, and exfiltrates it to the attacker’s command-and-control (C2) host over a WebSocket channel.

The ideas accrued this manner can then be utilized in NFC cost relay schemes, as documented within the NGate, SuperCard X, and RelayNFC malware assaults.

NFCShare used to be first documented by way of D3Lab researchers in January 2026, who’ve been monitoring its task and evolution.

D3Lab researcher Andrea Draghetti advised BleepingComputer that, regardless of similarities to different Android malware that exploit NFC chips for information robbery, NFCShare makes use of distinct code, libraries, structure, and implementation main points.

Draghetti famous, even though, that it will nonetheless be an evolution of the similar ecosystem, pushed by way of the similar danger actors.

Fresh NFCShare assaults noticed beginning Might 14 start with the sufferer visiting a phishing website that impersonates an actual financial institution and asks for banking credentials.

Sufferers are then steered to replace their banking app and are redirected to a GitHub repository internet hosting a malicious APK document.

The researchers be aware that SMS messages or telephone calls from faux financial institution representatives can also be used as a part of the social-engineering procedure, as noticed in identical assaults, even if D3Lab researchers didn’t practice those strategies immediately.

Since its introduction on April 10, the GitHub repository used for distributing NFCShare has hosted 56 distinctive APKs that impersonated cell apps for banks essentially from Italy and Spain:

• Intesa Carte.apk
• Sella Carte.apk
• Banca Sella Carte.apk
• Nexi Carte.apk
• Fideuram Carte.apk
• Mooney Carte.apk
• CaixaBank.apk
• CaixaBankNfc.apk
• CaixaReactivaTarjeta.apk

In January, D3Lab reported that the malware centered handiest Deutsche Financial institution in Germany, which would possibly counsel a longer concentrated on scope.

One attention-grabbing facet of the brand new model of the malware is the advent of malformed APK packaging to obstruct computerized research, and probably additionally safety equipment.

The APK remains to be a ZIP archive, however the more moderen samples come with poisoned/malformed document paths inside of that ZIP, inflicting some extraction equipment to wrongly interpret inside relative paths as filesystem paths and cause mistakes.

On the other hand, D3Lab notes that this trick does no longer save you handbook research or code restoration; moderately, it disrupts static research in sure equipment.

Android customers are suggested to supply banking apps handiest from Google Play, allow Play Offer protection to, and be wary of “verification requests” that suggested NFC card scans.