New variants of the NFCShare Android malware are being distributed as faux updates for legit banking apps hosted on GitHub.
The malware has developed and is now concentrating on prospects of a number of banks and monetary establishments throughout Europe in a phishing marketing campaign aimed toward stealing fee card knowledge.
After tricking victims with a faux verification display screen to put the playing cards close to the cellular system’s near-field communication (NFC) chip, NFCShare reads the data utilizing Android’s IsoDep interface and EMV instructions.
The malware steals the cardboard quantity, sort, expiry date, and a 4-digit PIN entered by the sufferer below the pretense of a safety step, and exfiltrates it to the attacker’s command-and-control (C2) host over a WebSocket channel.
The knowledge collected this manner can then be utilized in NFC fee relay schemes, as documented within the NGate, SuperCard X, and RelayNFC malware assaults.
Supply: D3Lab
NFCShare was first documented by D3Lab researchers in January 2026, who’ve been monitoring its exercise and evolution.
D3Lab researcher Andrea Draghetti instructed BleepingComputer that, regardless of similarities to different Android malware that exploit NFC chips for knowledge theft, NFCShare makes use of distinct code, libraries, structure, and implementation particulars.
Draghetti famous, although, that it might nonetheless be an evolution of the identical ecosystem, pushed by the identical menace actors.
Latest NFCShare assaults noticed beginning Might 14 start with the sufferer visiting a phishing web site that impersonates an actual financial institution and asks for banking credentials.
Victims are then urged to replace their banking app and are redirected to a GitHub repository internet hosting a malicious APK file.
Supply: D3Lab
The researchers observe that SMS messages or cellphone calls from faux financial institution representatives might also be used as a part of the social-engineering course of, as seen in related assaults, though D3Lab researchers didn’t observe these strategies instantly.
Since its creation on April 10, the GitHub repository used for distributing NFCShare has hosted 56 distinctive APKs that impersonated cellular apps for banks primarily from Italy and Spain:
- Intesa Carte.apk
- Sella Carte.apk
- Banca Sella Carte.apk
- Nexi Carte.apk
- Fideuram Carte.apk
- Mooney Carte.apk
- CaixaBank.apk
- CaixaBankNfc.apk
- CaixaReactivaTarjeta.apk
In January, D3Lab reported that the malware focused solely Deutsche Financial institution in Germany, which can counsel an prolonged concentrating on scope.
One attention-grabbing facet of the brand new model of the malware is the introduction of malformed APK packaging to hinder automated evaluation, and doubtlessly additionally safety instruments.
The APK continues to be a ZIP archive, however the newer samples embrace poisoned/malformed file paths inside that ZIP, inflicting some extraction instruments to wrongly interpret inner relative paths as filesystem paths and set off errors.
Nevertheless, D3Lab notes that this trick doesn’t forestall guide evaluation or code restoration; relatively, it disrupts static evaluation in sure instruments.
Android customers are suggested to supply banking apps solely from Google Play, allow Play Shield, and be cautious of “verification requests” that immediate NFC card scans.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by way of your setting unseen.
The Picus whitepaper exhibits how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.
