{"id":267856,"date":"2026-06-08T18:11:00","date_gmt":"2026-06-08T22:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github\/"},"modified":"2026-06-08T19:45:09","modified_gmt":"2026-06-08T23:45:09","slug":"nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github\/","title":{"rendered":"NFCShare Android malware spreads via fake banking app updates on GitHub"},"content":{"rendered":"

NFCShare Android malware spreads via fake banking app updates on GitHub<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github\/<\/a><\/p>\n

Publish Date: 2026-06-08 18:11:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.<\/p>\n

The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.<\/p>\n

After tricking victims with a fake verification screen to place the cards near the mobile device’s near-field communication (NFC) chip, NFCShare reads the information using Android\u2019s IsoDep interface and EMV commands.<\/p>\n

\"image\"<\/p>\n

The malware steals the card number, type, expiry date, and a 4-digit PIN entered by the victim under the pretense of a security step, and exfiltrates it to the attacker\u2019s command-and-control (C2) host over a WebSocket channel.<\/p>\n

The information collected this way can then be used in NFC payment relay schemes, as documented in the NGate, SuperCard X, and RelayNFC malware attacks.<\/p>\n

\"MaliciousNFCShare’s social engineering screens<\/strong>
Source: D3Lab<\/p>\n

NFCShare was first documented by D3Lab researchers in January 2026, who have been tracking its activity and evolution.<\/p>\n

D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that exploit NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details.<\/p>\n

Draghetti noted, though, that it could still be an evolution of the same ecosystem, driven by the same threat actors.<\/p>\n

Recent NFCShare attacks observed starting May 14 begin with the victim visiting a phishing site that impersonates a real bank and asks for banking credentials.<\/p>\n

Victims are then urged to update their banking app and are redirected to a GitHub repository hosting a malicious APK file.<\/p>\n

\"MaliciousMalicious GitHub repository<\/strong>
Source: D3Lab<\/p>\n

The researchers note that SMS messages or phone calls from fake bank representatives may also be used as part of the social-engineering process, as seen in similar attacks, although D3Lab researchers did not…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

NFCShare Android malware spreads via fake banking app updates on GitHub https:\/\/www.bleepingcomputer.com\/news\/security\/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github\/ Publish Date: 2026-06-08…<\/p>\n","protected":false},"author":1,"featured_media":267857,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/21\/card.jpg","fifu_image_alt":"","footnotes":""},"categories":[46],"tags":[31,32,25,57],"class_list":["post-267856","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","tag-exploit","tag-malware","tag-phishing","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267856"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=267856"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267856\/revisions"}],"predecessor-version":[{"id":267858,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267856\/revisions\/267858"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/267857"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=267856"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=267856"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=267856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}