NFCShare Android Malware Steals Card Data via Fake Bank App Updates on GitHub

New variants of the NFCShare Android malware are spreading through a phishing campaign that impersonates legitimate banking apps, with malicious APKs hosted on public GitHub repositories. Discovered and tracked by Italian cybersecurity firm D3Lab, the campaign has primarily targeted customers of financial institutions in Italy and Spain, including Intesa Sanpaolo, Banca Sella, Nexi, and CaixaBank. Victims are first lured to phishing sites that mimic real bank portals, where they are prompted to enter their banking credentials and then download a fake app update—redirecting them to a GitHub repository containing the trojanized APK. Since the repository was created on April 10, 2026, it has hosted 56 unique malicious APKs designed to impersonate mobile banking applications.

Once installed, NFCShare deploys a convincing social engineering overlay that instructs victims to place their payment card near the device's NFC chip under the guise of a security verification step. The malware reads card data using Android's IsoDep interface and standard EMV commands, capturing the card number, card type, expiry date, and a 4-digit PIN entered by the user. Stolen data is then exfiltrated to the attacker's command-and-control server over a WebSocket channel, enabling real-time relay of card information. According to D3Lab researcher Andrea Draghetti, NFCShare uses distinct code, libraries, and architectural choices that set it apart from similar tools like NGate, SuperCard X, and RelayNFC, though it may still originate from the same threat actor ecosystem.

The latest version introduces malformed APK packaging, embedding poisoned file paths within the ZIP archive structure to confuse automated analysis sandboxes and some security tools. This obfuscation technique, while not preventing manual analysis, raises the barrier for high-volume detection. D3Lab's findings, shared with BleepingComputer, also indicate that SMS messages and phone calls from fake bank representatives may supplement the phishing flow, though this vector was not directly observed in the current campaign. As NFC-based payment fraud continues to evolve, users should verify any app update prompts directly through their bank's official website or application and avoid downloading APKs from third-party repositories. Security teams can use a SSL/TLS checker to inspect suspicious banking URLs and a WHOIS lookup to vet unfamiliar domains distributing mobile software, while individuals can run a privacy checkup to assess their exposure to phishing infrastructure.