Nobody expects their bank to ask them to update an app via GitHub. But people keep doing it. That’s because the criminals are getting better at the one thing that matters: human psychology.
NFCShare isn't new, but the way attackers are running it this year? That's a different story. In January 2026, researchers first flagged these samples targeting German customers. It was fairly specific. Now, by May 2026, we’re looking at a broad, aggressive campaign across Italy and Spain. We’re talking major institutions: Intesa Sanpaolo, Nexi, Banca Sella, Mooney, Fideuram, CaixaBank. It’s a sweep.
The attackers realized localized phishing is fine, but spreading the net wider in Europe is better. They've shifted from simple, low-effort malware to a sophisticated flow that uses actual GitHub infrastructure to legitimize their malicious APKs. The shift represents a pivot from targeted, localized attacks in Germany to a pan-European automated campaign. This is not about brute force; it is about building a scalable mechanism that bypasses skepticism by hiding in plain sight on a platform every developer uses: GitHub. This isn't just malware; it's a social engineering masterclass that weaponizes the user's trust in app updates. As we've noted before in our analysis of cybersecurity evolution, the threat is moving faster than the defenses.
The Infrastructure of Deception
The workflow is, frankly, brilliant in its simplicity. It starts with a standard phishing attempt, likely delivered via SMS or a phone call from someone posing as a bank representative. The victim is directed to a domain like areaclienti-intesa[.]com—a perfectly cloned, convincing portal. This classic social engineering tactic highlights the dangers of weaponized urgency, which is repeatedly used by threat actors to bypass standard skepticism.
Once the victim hands over their credentials, the trap snaps shut. The user is prompted to install a "security update" for their banking app. They are sent a link, often shortened through TinyURL, to download the APK. The destination? GitHub. Not a hidden, sketchy site, but GitHub.
Since April 10, 2026, the attackers have used a GitHub repository, antoniocastaldo1998/app-scuola, to host at least 56 unique APK payloads. They are diligent, too. The commit messages are frequently and aggressively automated with a monotonous "Aggiornato tutto"—Italian for "Updated everything." This isn't just one guy tinkering; this is a pipeline. By hosting these payloads on a platform with universal trust, they effectively bypass the immediate alarms that a direct download from a sketchy domain would trigger in a savvy user. They’ve turned a developer's workspace into a distribution node for mobile fraud. This incident is part of a broader trend of leveraging developer platforms for malicious ends, similar to how researchers identified a vulnerability in the VS Code Web Sandbox to target developer environments.
Technical Anatomy: How It Reads Your Card
The core of NFCShare is, not surprisingly, its use of NFC (Near Field Communication) to harvest card data. Once the victim installs the malicious APK and launches it, they are greeted by a fake verification screen that looks exactly like what they'd expect from a real banking app.
The malware utilizes the Android IsoDep interface (android.nfc.tech.IsoDep) to establish a direct, low-level link with the physical contactless payment card pressed against the back of the phone. When the card responds, the malware fires off a specific EMV PPSE select APDU command: 00A404000E325041592E5359532E444446303100.
This is the key. That command sequence instructs the card to disclose its payment application and, in turn, the card number, card type, and expiration date. The trojan isn't just asking, it’s commanding the card for raw data. Once it has the basics, it prompts the user to enter their PIN, claiming it’s for "final verification." With the raw NFC data and the PIN, the attackers hold the perfect keys to the kingdom. They have everything needed to conduct unauthorized transactions, either online or potentially by cloning the card. It’s efficient, fast, and remarkably successful.
Obfuscation and Exfiltration
After successfully capturing the card data and the PIN, the malware packs it up for exfiltration. The data—concatenated as card_number & card_type_or_PIN & card_label & MM/yy—is sent off directly via WebSockets to C2 servers, such as nfck[.]loseyourip[.]com:8001 or a specific port (7068) on the IP 38.47.213.197.
To try and keep researchers from looking too closely at their code, the attackers are using NPStringFog with the key itnewpag. The malware is littered with Chinese strings like 发送端 (sender), suggesting a potential origin or an exchange of tools that spans international boundaries. This mix of obfuscation and rudimentary but functional exfiltration suggests an operation that is constantly tuning its defenses while maintaining its primary focus—harvesting card data as quickly and reliably as possible. They aren't trying to build the most advanced piece of software in existence; they just need it to stay under the radar long enough to make their money.
Poisoning the Well: Evasion Techniques
The most sophisticated move in this latest variant is how they handle anti-analysis. Security researchers often use automated static analysis tools—the "assembly line" for checking APKs—to quickly see what a new variant is doing. The NFCShare attackers knew this and built a countermeasure.
They started injecting malformed or "poisoned" ZIP path entries—entries targeted at sensitive paths like /AndroidManifest.xml/ or /classes.dex—into their APK packages. When an automated tool tries to unzip or parse the APK to look at the internals, it hits these entries and throws an error, often a read-only filesystem crash.
The tool stops, the analysis fails, and the researcher is left with silence. Ingeniously, while these poisoned entries break automated analysis tools, the Android operating system itself doesn’t care. When a user installs the app, Android simply loads the legitimate components and ignores the broken, poisoned paths. It’s a perfect "fire and forget" tactic that gives the malware a substantial window of operational life before anyone can comfortably reverse-engineer its new behavior. They also increased the DEX count from 8 to 10, a small but indicative sign of them constantly patching and refining the core payload.
The Hard Truth of Mobile Fraud
NFCShare isn't a headline-grabbing, massive infrastructure-toppling attack. It doesn't use zero-days to break into global banks. It does something much more dangerous: it uses the user.
By combining the low-level capability of Android’s NFC stack with the high-trust environment of GitHub and the classic, reliable mechanics of social engineering, the actors behind NFCShare have created a fraud machine that works. They are forcing the security community to play a game of whack-a-mole where they can generate, host, and distribute new variants faster than anyone can take them down.
The takeaway is uncomfortable. Sophistication doesn't necessarily mean high-tech complexity; it often means a more intelligent use of existing, trusted mechanisms. As long as users can be convinced that a GitHub URL is just as good as a Play Store link, and as long as they trust a fake app update on their phone, NFCShare and its descendants will continue to thrive. We cannot patch our way out of this one. Education is our only real defense, but unfortunately, it is the slowest to implement and the hardest to scale. If you see a banking update that takes you to GitHub? Run. Don't click. Don't trust. Just stop.