Back

NFCShare Android Malware Targets Banking Apps to Steal Card Data

Severity: High (Score: 67.5)

Sources: Bleepingcomputer, Gbhackers, www.d3lab.net, Cybersecuritynews

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: banking, nfcshare, android, malware, spreads, apps, fake

Severity indicators: weaponized, malware, banking

Summary

NFCShare, an Android malware, is spreading through fake updates for legitimate banking apps on GitHub. This malware targets users across Europe, particularly in Italy and Spain, by tricking them into sideloading malicious APKs. Victims are coerced into providing their payment card details via a phishing campaign that mimics real banking processes. Since May 14, 2026, the malware has evolved to include more sophisticated social engineering tactics, including fake verification screens. The malware exploits the NFC chip in mobile devices to extract sensitive information such as card numbers, expiry dates, and PINs. D3Lab researchers first documented NFCShare in January 2026 and have noted its rapid evolution and expanded targeting scope. Security teams have reported that 54% of attacks are successful, with only 14% triggering alerts. Users are advised to download banking apps exclusively from Google Play and remain vigilant against unsolicited verification requests. Key Points: • NFCShare malware spreads via fake banking app updates on GitHub. • Targets users in Europe, particularly Italy and Spain, through phishing tactics. • Exploits NFC technology to steal sensitive payment card information.

Detailed Analysis

**Impact** Customers of multiple banks and financial institutions primarily across Italy, Spain, and previously Germany are affected. The malware targets mobile banking users by stealing payment card data, including card numbers, types, expiry dates, and 4-digit PINs, potentially enabling NFC payment relay fraud. Since mid-May 2026, at least 56 unique malicious APKs impersonating banking apps have been distributed, impacting European banking sectors and exposing sensitive financial data. **Technical Details** The attack vector involves phishing campaigns that redirect victims to GitHub-hosted fake banking app updates containing the NFCShare malware. The malware uses Android’s IsoDep interface and EMV commands to read NFC card data after victims are tricked into placing cards near their device. Data exfiltration occurs over a WebSocket channel to attacker-controlled C2 servers. The malware employs malformed APK packaging to evade automated static analysis. No CVEs exploited were reported. Indicators include GitHub repositories hosting malicious APKs and WebSocket C2 communication. **Recommended Response** Users should only install banking apps from official sources like Google Play and enable Play Protect. Security teams must monitor for phishing attempts involving fake banking app updates and block suspicious GitHub-hosted APK downloads. Detection rules should focus on anomalous WebSocket traffic and IsoDep interface usage. Breach and attack simulation tests are advised to validate SIEM and EDR detection capabilities against this threat.

Source articles (4)

  • NFCShare Android malware spreads via fake banking app updates on GitHub — Bleepingcomputer · 2026-06-08
    New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub. The malware has evolved and is now targeting customers of multiple bank…
  • NFCShare Android Malware Spreads via Weaponized Banking Apps — Gbhackers · 2026-06-09
    A renewed and operationally refined wave of the NFCShare Android banking trojan that delivers NFC card-data theft by masquerading as legitimate banking applications. First documented in January 2026,…
  • New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps — Cybersecuritynews · 2026-06-09
    A newly evolved strain of Android malware known as NFCShare is being spread through fake versions of legitimate banking apps, putting mobile users across Europe at serious risk. The malware is designe…
  • Nfcshare Android Trojan Nfc Card Data Theft Via Malicious Apk — www.d3lab.net · 2026-06-08

Timeline

  • 2026-01-01 — NFCShare malware first documented: D3Lab researchers identified NFCShare as a new Android malware targeting Deutsche Bank customers.
  • 2026-04-10 — GitHub repository created for NFCShare: The repository began hosting malicious APKs impersonating banking apps, with 56 unique APKs identified.
  • 2026-05-14 — New wave of NFCShare attacks observed: The malware campaign expanded its targeting to include multiple banks in Italy and Spain, using refined social engineering tactics.
  • 2026-06-08 — BleepingComputer reports on NFCShare evolution: The malware's new variants include malformed APK packaging to hinder automated analysis, complicating detection efforts.
  • 2026-06-09 — Gbhackers and Cybersecuritynews report on NFCShare: Both outlets highlight the ongoing threat posed by NFCShare, emphasizing its sophisticated phishing methods and widespread impact.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Deutsche Bank (Company)
  • Germany (Country)
  • Italy (Country)
  • Spain (Country)
  • Financial (Industry)
  • NFCShare (Malware)
  • Ngate (Malware)
  • RelayNFC (Malware)
  • SuperCard X (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed