New variants of the **NFCShare** Android malware are spreading through fake updates for legitimate banking applications, primarily hosted on **GitHub**. This evolving threat now targets customers of numerous banks and financial institutions across Europe, leveraging a sophisticated phishing campaign designed to pilfer payment card data. ### How the Attack Unfolds The attack typically begins with victims encountering a phishing site impersonating a real bank, which prompts them to enter their banking credentials. Following this, users are urged to update their banking app and are then redirected to a **GitHub** repository containing a malicious APK file. While **D3Lab** researchers, who have been tracking **NFCShare**'s activity since January 2026, did not directly observe these methods in the latest attacks, similar campaigns have often incorporated SMS messages or phone calls from fake bank representatives as part of the social engineering process. ### Technical Details of Data Theft Once installed, the malware tricks victims with a fake verification screen, instructing them to place their payment cards near the mobile device's Near-Field Communication (NFC) chip. **NFCShare** then leverages Android’s **IsoDep** interface and **EMV** commands to read the card information.  The malware systematically steals the card number, type, expiry date, and a 4-digit PIN, which the victim is prompted to enter under the guise of a security step. This sensitive data is then exfiltrated to the attacker’s command-and-control (C2) host via a WebSocket channel. The stolen information can subsequently be exploited in NFC payment relay schemes, a technique also seen in malware such as **NGate**, **SuperCard X**, and **RelayNFC**. ### Expanding Reach and Evasion Tactics Recent **NFCShare** attacks, observed starting May 14, highlight the malware's expanded targeting scope. The **GitHub** repository, created on April 10, has hosted 56 unique APKs impersonating mobile apps for various banks, predominantly from Italy and Spain. These include **Intesa Carte**, **Sella Carte**, **Banca Sella Carte**, **Nexi Carte**, **Fideuram Carte**, **Mooney Carte**, **CaixaBank**, **CaixaBankNfc**, and **CaixaReactivaTarjeta**.  Previously, in January, **D3Lab** reported that the malware exclusively targeted **Deutsche Bank** in Germany, indicating a significant broadening of its geographical and institutional focus. An interesting development in the new **NFCShare** variants is the introduction of malformed APK packaging. This technique, which involves poisoned or malformed file paths within the ZIP archive of the APK, is designed to hinder automated analysis and potentially bypass certain security tools. While it may disrupt static analysis in some tools, **D3Lab** notes that it does not prevent manual analysis or code recovery. ### Protecting Yourself from NFCShare For IT security professionals and privacy-conscious users, vigilance is paramount. To mitigate the risk of falling victim to **NFCShare** and similar Android malware, consider the following best practices: * **Source Apps Officially**: Always download banking applications exclusively from official app stores like Google Play. Avoid third-party links or repositories, especially those received via email, SMS, or suspicious websites. * **Enable Play Protect**: Ensure Google Play Protect is enabled on Android devices, as it provides a layer of defense against malicious apps. * **Exercise Caution with NFC Scans**: Be highly suspicious of any “verification requests” that prompt you to scan your payment card using your device's NFC chip, particularly outside of a trusted, physical payment terminal environment. * **Verify URLs**: Always double-check the URL of banking websites for authenticity before entering credentials. Phishing sites often use subtle misspellings or different domains.