← BACK TO FEED
Android malwareNFC fraudphishingmobile securitybanking

NFCShare Malware Evolves: Fake Banking App Updates Delivered Via GitHub

A new Android malware called NFCShare is being distributed through fake banking app updates hosted on GitHub, targeting customers of banks primarily in Italy and Spain. The malware tricks victims into scanning their payment cards near their phone's NFC chip under the guise of a security verification, stealing card details and PINs which are then sent to attackers for use in NFC payment relay fraud. Android users are advised to only download banking apps from Google Play, enable Play Protect, and be wary of any requests to scan their cards through an app.

A strain of Android malware called NFCShare is spreading through GitHub-hosted fake updates for legitimate banking apps, targeting customers across Europe with a straightforward goal: steal your payment card data before you realise anything is wrong.

The campaign has been tracked by Italian security firm D3Lab since January, when NFCShare was first documented hitting Deutsche Bank customers in Germany. The targeting has since expanded considerably. Since mid-May, Italian and Spanish banks have been in the crosshairs, with malicious APKs impersonating apps for Intesa Sanpaolo, Banca Sella, Nexi, Fideuram, Mooney, and CaixaBank, among others. A single GitHub repository, created on 10 April, has hosted 56 unique malicious APK variants.

The attack flow is reasonably polished. Victims land on a phishing site mimicking their bank, hand over credentials, and are then told their app needs updating. They're redirected to the GitHub repo and prompted to sideload the APK. From there, the malware presents a convincing fake verification screen instructing the user to tap their payment card against the phone's NFC sensor. What it's actually doing is reading the card via Android's IsoDep interface using EMV commands, quietly pulling the card number, type, expiry date, and a four-digit PIN the victim enters under the guise of authentication. Everything gets shipped off to attacker infrastructure over a WebSocket connection.

The harvested data feeds into NFC relay attacks, a technique also seen in NGate, SuperCard X, and RelayNFC. The attackers essentially clone your card's NFC interactions in real time, enabling fraudulent contactless payments elsewhere.

D3Lab researcher Andrea Draghetti confirmed to BleepingComputer that while NFCShare shares conceptual ground with other NFC-abusing malware families, its code, libraries, and architecture are distinct. Whether it shares threat actors with those campaigns remains an open question.

The newer samples include a mildly clever anti-analysis trick: the APKs, which are ZIP archives under the hood, contain deliberately malformed internal file paths. Some automated extraction tools choke on these, misinterpreting relative paths as filesystem paths and throwing errors. It won't stop a determined analyst doing manual review, but it's enough to disrupt automated static analysis pipelines, which is presumably the point.

The basics still apply. Get banking apps from Google Play only, keep Play Protect active, and treat any unsolicited prompt to tap your physical card to your phone with serious suspicion. No legitimate bank verification flow works like that.