A coordinated campaign is circulating fraudulent updates for legitimate banking applications on GitHub, carrying the NFCShare Android malware. Security researchers have observed this campaign shifting focus to target financial institution customers throughout Europe with the objective of harvesting payment card information.
How the Malware Functions
Once installed, NFCShare presents victims with a deceptive verification interface that prompts them to position their payment cards against the phone's NFC sensor. The malware then leverages Android's IsoDep communication protocol and EMV command sets to extract card data. Information including the card number, card type, expiration date, and a four-digit PIN (entered under false pretenses) gets transmitted to attacker-controlled servers via WebSocket connections.
See Android Banking Malware Families: NGate, Rokarolla, BirdCall and More for related malware analysis.
Connection to Existing NFC-Based Attacks
The stolen card data supports NFC payment relay attacks—techniques previously observed in malware families like NGate, SuperCard X, and RelayNFC. These operations bypass traditional security boundaries by exploiting the physical proximity requirement of contactless payments to enable remote transaction manipulation.
For technical details on how NFC relay attacks work, see our coverage of NFC Payment Relay Attacks: Technical Analysis.
D3Lab's Investigation
Italian security firm D3Lab first identified and began tracking NFCShare in January 2026. Researcher Andrea Draghetti explained to BleepingComputer that while the malware shares conceptual similarities with other Android NFC-extracting tools, it features unique code structure, library dependencies, architectural patterns, and implementation approaches. Draghetti did not rule out a lineage from the same threat group responsible for earlier campaigns.
Attack Infrastructure and Tactics
Beginning around May 14, attackers began sending potential victims to websites mimicking legitimate bank portals. After collecting banking credentials, victims receive instructions to "update" their mobile application, which redirects them to a GitHub repository hosting the malicious APK package.
Learn about Social Engineering Tactics in Cyber Attacks to understand how attackers manipulate victims.
Social Engineering Channels
Besides fake websites, threat actors may employ SMS texts or robocalls appearing to originate from the victim's bank. D3Lab documented this approach in related campaigns, though direct evidence of such methods being used specifically with NFCShare remains limited.
GitHub Distribution Network
The campaign's distribution infrastructure consists of a single GitHub repository created on April 10. Over the course of tracking, D3Lab recorded 56 distinct APK versions hosted there, each impersonating a different mobile banking app—primarily those serving Italian and Spanish financial institutions.
Earlier in January, D3Lab tracked a version of NFCShare focused exclusively on Deutsche Bank customers in Germany. The current breadth of impersonated institutions suggests the threat actors have broadened their operational scope.
For additional context on GitHub-based malware distribution, see GitHub as a Malware Distribution Platform: Trends and Analysis.
Malware Delivery Obfuscation
The latest APK iterations implement corrupted file paths within the ZIP archive structure to confuse automated analysis platforms. These malformed paths cause certain extraction utilities to misinterpret relative file references as absolute filesystem paths, generating errors during static analysis.
D3Lab cautions that this technique only impedes tool-based inspection—not manual code review or deeper reverse engineering—and should not be mistaken for comprehensive anti-analysis protection.
See Malware Obfuscation Techniques: A Comprehensive Guide for more on evasion tactics used by modern malware.
Defending Against NFCShare
Mobile users can reduce their exposure by installing banking applications exclusively through the official Google Play Store, keeping Play Protect features active, and questioning unexpected prompts asking them to scan payment cards.
Related Android Banking Malware Families
NFCShare joins several other malicious suites targeting mobile banking:
- NGate — Incorporates the HandyPay NFC utility to exfiltrate card details
- Rokarolla — Compromises over two hundred banking and cryptocurrency applications
- BirdCall — Distributed through gaming platforms by the ScarCruft group
- Stripe-based campaigns that host stolen card data on payment infrastructure
- BTMOB — A service-oriented malware delivering customized phishing payloads
For detailed analysis of these and other Android banking threats, refer to our Android Banking Malware Families: NGate, Rokarolla, BirdCall and More resource.