NFCShare Android Malware

Cybersecurity researchers have identified new variants of the Android malware NFCShare being distributed through fake updates for legitimate banking applications hosted on GitHub. The threat has significantly evolved from its earlier versions and is now targeting customers of multiple banks and financial institutions across Europe through sophisticated phishing operations designed to steal payment card information.

How NFCShare Steals Sensitive Card Data

The attack relies on social engineering techniques that convince victims to interact with a fraudulent verification process. Users are instructed to place their payment cards near their mobile device's near-field communication (NFC) chip, allowing the malware to access card data through Android's IsoDep interface and EMV commands.

Once activated, NFCShare harvests critical information, including:

• Payment card number
• Card type
• Expiration date
• Four-digit PIN code entered by the victim as part of a fake security verification process

The stolen information is then transmitted to the attackers' command-and-control (C2) infrastructure through a WebSocket communication channel. This data can subsequently be leveraged in NFC payment relay attacks similar to those previously associated with NGate, SuperCard X, and RelayNFC malware campaigns.

An Evolving Threat With Distinct Characteristics

NFCShare was first documented by security researchers in January 2026, and ongoing monitoring has revealed continuous development and refinement of the malware. Although the threat shares behavioral similarities with other Android malware families that exploit NFC technology, researchers have identified notable differences in its codebase, libraries, architecture, and implementation methods.

Despite these distinctions, experts believe NFCShare could still represent an evolution of the same broader cybercriminal ecosystem and may be operated by the same threat actors responsible for related campaigns.

Attack Chain Begins With Banking Phishing Pages

Recent attacks observed since May 14 follow a carefully crafted infection chain. Victims are first directed to phishing websites that imitate legitimate banking portals and request online banking credentials. After providing this information, users are encouraged to install what appears to be a mandatory banking application update.

The victims are then redirected to a GitHub repository hosting malicious Android APK files. Researchers also note that SMS messages and phone calls from individuals posing as bank representatives could potentially be incorporated into the social-engineering process, although these techniques have not yet been directly observed in NFCShare campaigns.

GitHub Repository Hosts Dozens of Fake Banking Applications

The GitHub repository used to distribute the malware was created on April 10 and has already hosted 56 unique malicious APK files impersonating banking applications, primarily targeting customers in Italy and Spain. Examples include:

• Intesa Carte, Sella Carte, Banca Sella Carte, Nexi Carte, Fideuram Carte, and Mooney Carte
• CaixaBank, CaixaBankNfc, and CaixaReactivaTarjeta

Researchers previously reported that NFCShare targeted only Deutsche Bank customers in Germany during January 2026. The latest findings suggest that the malware operators have significantly expanded their targeting scope across Europe.

Obfuscation Techniques Designed to Complicate Analysis

One of the most notable enhancements in the latest NFCShare variants is the use of malformed APK packaging techniques intended to disrupt automated malware analysis and potentially interfere with certain security tools.

Although the APK files remain standard ZIP archives, the newer samples contain intentionally malformed file paths. These manipulated paths can cause some extraction tools to misinterpret internal relative paths as actual filesystem locations, resulting in processing errors and failed analysis attempts.

However, this technique does not prevent manual investigation or code recovery. Instead, it primarily serves to complicate static analysis workflows and hinder automated detection mechanisms.

Protecting Against NFCShare Infections

Security experts advise Android users to download banking applications exclusively from trusted and reputable sources, such as official app stores or verified banking websites. Users should also exercise caution when confronted with unexpected verification procedures, particularly those requesting NFC card scans or other unusual security checks, as these may indicate an attempt to harvest sensitive financial information.