NFCShare Android malware spreads via fake banking app updates on GitHub

Staff Editor 2026-06-08
NFCShare Android malware spreads via fake banking app updates on GitHub

NFCShare Android malware spreads via fake banking app updates on GitHub

https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/

Publish Date: 2026-06-08 18:11:00

Source Domain: www.bleepingcomputer.com

New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.

The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.

After tricking victims with a fake verification screen to place the cards near the mobile device’s near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.

image

The malware steals the card number, type, expiry date, and a 4-digit PIN entered by the victim under the pretense of a security step, and exfiltrates it to the attacker’s command-and-control (C2) host over a WebSocket channel.

The information collected this way can then be used in NFC payment relay schemes, as documented in the NGate, SuperCard X, and RelayNFC malware attacks.

Malicious app's social engineering screensNFCShare’s social engineering screens
Source: D3Lab

NFCShare was first documented by D3Lab researchers in January 2026, who have been tracking its activity and evolution.

D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that exploit NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details.

Draghetti noted, though, that it could still be an evolution of the same ecosystem, driven by the same threat actors.

Recent NFCShare attacks observed starting May 14 begin with the victim visiting a phishing site that impersonates a real bank and asks for banking credentials.

Victims are then urged to update their banking app and are redirected to a GitHub repository hosting a malicious APK file.

Malicious GitHub repositoryMalicious GitHub repository
Source: D3Lab

The researchers note that SMS messages or phone calls from fake bank representatives may also be used as part of the social-engineering process, as seen in similar attacks, although D3Lab researchers did not…

Source

More Stories

Apple Brings Full-Resolution iCloud Shared Albums to Android and Windows

Apple Brings Full-Resolution iCloud Shared Albums to Android and Windows

Staff Editor 2026-06-08
4 of the best iOS 27 features Android already has

4 of the best iOS 27 features Android already has

Staff Editor 2026-06-08
5 Useful Android Apps For Your Next Camping Trip

5 Useful Android Apps For Your Next Camping Trip

Staff Editor 2026-06-08

Terms and Conditions - Privacy Policy