Back

NFCShare Android Malware Targets Banking Apps via GitHub Updates

Severity: High (Score: 69.5)

Sources: Gbhackers, www.d3lab.net, Bleepingcomputer

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: banking, nfcshare, android, malware, spreads, apps, fake

Severity indicators: weaponized, malware, banking

Summary

The NFCShare Android malware is spreading through fake updates for legitimate banking apps on GitHub, primarily affecting customers of banks in Italy and Spain. Since May 14, 2026, the malware has employed a phishing campaign to trick victims into downloading malicious APKs. Victims are led to a phishing site that impersonates a real bank, where they are prompted to update their banking app. The malware utilizes NFC technology to steal card data, including card numbers, expiry dates, and PINs, which are then exfiltrated to the attacker's command-and-control server. D3Lab researchers have tracked the malware's evolution since its initial documentation in January 2026. The GitHub repository has hosted 56 unique APKs targeting multiple banks. The malware's packaging has been designed to hinder automated analysis, complicating detection efforts. Security experts recommend that Android users only download banking apps from Google Play and remain vigilant against unsolicited verification requests. Key Points: • NFCShare malware spreads via fake banking app updates on GitHub. • Targets banking customers in Italy and Spain through phishing tactics. • Steals sensitive card data using NFC technology and exfiltrates it to attackers.

Detailed Analysis

**Impact** Customers of multiple banks and financial institutions across Europe, primarily in Italy, Spain, and previously Germany, are targeted. The malware steals payment card data including card number, type, expiry date, and 4-digit PINs, enabling NFC payment relay fraud. Since April 10, 56 unique malicious APKs impersonating banking apps have been distributed via GitHub. The campaign affects the banking sector and risks financial theft and fraud, with only 14% of successful attacks detected by security teams. **Technical Details** The attack uses phishing sites impersonating banks to coerce victims into sideloading malicious APKs hosted on GitHub repositories. NFCShare exploits Android’s IsoDep interface and EMV commands to read NFC card data after victims place cards near their device. The malware exfiltrates stolen data over WebSocket channels to attacker-controlled C2 servers. New variants include malformed APK packaging to disrupt automated static analysis. No CVEs or specific vulnerabilities were mentioned. The kill chain includes initial phishing, social engineering, malware sideloading, data theft, and exfiltration. **Recommended Response** Users should only install banking apps from official sources such as Google Play and enable Play Protect. Security teams must monitor for suspicious APK sideloading, phishing domains, and WebSocket traffic to known C2 hosts. Deploy detection rules targeting malformed APK structures and IsoDep interface usage patterns. Conduct breach and attack simulations to validate SIEM and EDR effectiveness against this threat.

Source articles (3)

  • NFCShare Android malware spreads via fake banking app updates on GitHub — Bleepingcomputer · 2026-06-08
    New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub. The malware has evolved and is now targeting customers of multiple bank…
  • NFCShare Android Malware Spreads via Weaponized Banking Apps — Gbhackers · 2026-06-09
    A renewed and operationally refined wave of the NFCShare Android banking trojan that delivers NFC card-data theft by masquerading as legitimate banking applications. First documented in January 2026,…
  • Nfcshare Android Trojan Nfc Card Data Theft Via Malicious Apk — www.d3lab.net · 2026-06-08

Timeline

  • 2026-01-10 — NFCShare malware first documented: D3Lab researchers identified the NFCShare malware, initially targeting Deutsche Bank in Germany.
  • 2026-04-10 — GitHub repository created for NFCShare: The repository began hosting malicious APKs impersonating banking apps, facilitating malware distribution.
  • 2026-05-14 — New phishing campaign launched: A renewed campaign began, targeting customers of banks in Italy and Spain with fake app updates.
  • 2026-06-08 — BleepingComputer reports on NFCShare: The article details the malware's evolution and its methods of operation, including the use of malformed APKs.
  • 2026-06-09 — Gbhackers article published: Gbhackers highlights the operational refinement of the NFCShare malware and its continued threat to banking customers.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Deutsche Bank (Company)
  • Germany (Country)
  • Italy (Country)
  • Spain (Country)
  • Financial (Industry)
  • NFCShare (Malware)
  • Ngate (Malware)
  • RelayNFC (Malware)
  • SuperCard X (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed