The Rise of NFCShare Android Malware: A Phishing Campaign Targeting Banking Apps

A new iteration of the NFCShare Android malware has emerged, masquerading as counterfeit updates for legitimate banking applications accessible on GitHub.

This sophisticated malware strain has advanced its tactics, now focusing on customers of numerous banks and financial institutions throughout Europe. Its primary objective is to engage in a phishing campaign to pilfer payment card information.

By employing a deceptive verification screen to lure victims into placing their cards near the mobile device’s near-field communication (NFC) chip, NFCShare illicitly obtains data through Android’s IsoDep interface and EMV commands.

The malware extracts crucial information such as card numbers, types, expiry dates, and 4-digit PINs under the guise of a security measure. Subsequently, this data is transmitted to the attacker’s command-and-control (C2) host through a WebSocket channel.

These pilfered details are then utilized in NFC payment relay schemes, similar to those observed in previous malware attacks such as NGate, SuperCard X, and RelayNFC.

Initially identified by D3Lab researchers in January 2026, NFCShare has undergone significant evolution and remains under close surveillance.

According to D3Lab researcher Andrea Draghetti, while NFCShare shares resemblances with other NFC-chip exploiting Android malware, it distinguishes itself through unique code, libraries, architecture, and implementation methods. Nonetheless, it may still be part of the same threat actor ecosystem.

Recent NFCShare assaults commencing on May 14 entail victims falling prey to phishing websites impersonating legitimate banks, prompting them to update their banking apps. Subsequently, victims are directed to a malicious APK file stored on a GitHub repository.

See also  Canvas Owner Strikes Deal with Hackers to Safeguard Stolen Data

While SMS messages or phone calls mimicking bank representatives may supplement the social-engineering strategy, D3Lab researchers have not directly observed these tactics in NFCShare attacks.

Since its inception on April 10, the aforementioned GitHub repository has hosted 56 distinct APKs posing as mobile apps for banks primarily from Italy and Spain:

• Intesa Carte.apk
• Sella Carte.apk
• Banca Sella Carte.apk
• Nexi Carte.apk
• Fideuram Carte.apk
• Mooney Carte.apk
• CaixaBank.apk
• CaixaBankNfc.apk
• CaixaReactivaTarjeta.apk

Initially concentrated on Deutsche Bank in Germany, NFCShare’s expanded target scope suggests a broader focus on financial institutions across multiple regions.

An intriguing development in the latest malware version is the integration of malformed APK packaging to impede automated analysis and potentially evade security tools.

Despite this obfuscation tactic, manual analysis and code recovery remain viable, as the strategy primarily disrupts static analysis tools.

For Android users, it is recommended to exclusively download banking apps from Google Play, activate Play Protect, and exercise caution regarding requests for NFC card scans under the guise of verification steps.