Fifty-six unique APKs have been hosted in a GitHub repository created on April 10, distributing new variants of an Android loader named NFCShare that pose as banking-app updates.
NFCShare infection chain: phishing site to GitHub APK
D3Lab researchers first documented NFCShare in January 2026 and have tracked its evolution. Recent attacks observed beginning May 14 start when a victim visits a phishing site impersonating a real bank and is asked for banking credentials. Victims are then urged to install an “update” to their banking app and are redirected to a GitHub repository that hosts a malicious APK.
D3Lab notes that SMS messages or phone calls from fake bank representatives may also be used in the social-engineering process in similar campaigns, although the researchers did not observe those methods directly in the NFCShare cases they reported to BleepingComputer.
GitHub repository and the fake banking APKs
The GitHub repository used by the attackers has hosted 56 distinct APKs designed to impersonate legitimate mobile apps for banks primarily in Italy and Spain. Sample filenames recorded by D3Lab include:
- Intesa Carte.apk
- Sella Carte.apk
- Banca Sella Carte.apk
- Nexi Carte.apk
- Fideuram Carte.apk
- Mooney Carte.apk
- CaixaBank.apk
- CaixaBankNfc.apk
- CaixaReactivaTarjeta.apk
In January, D3Lab reported that earlier NFCShare activity targeted only Deutsche Bank in Germany, a change that may indicate the campaign’s targeting has broadened geographically and across financial institutions.
How NFCShare reads cards, captures PINs, and exfiltrates data
The malware leverages Android’s IsoDep interface and EMV commands to read contactless payment card data after tricking victims with a fake verification screen that instructs them to place cards near the device’s NFC chip. NFCShare captures the card number, card type, expiry date, and the four-digit PIN that the victim is prompted to enter as a supposed security step.
Collected information is exfiltrated over a WebSocket channel to an attacker command-and-control (C2) host. D3Lab researchers highlighted that data captured in this manner can be used in NFC payment relay schemes, examples of which are documented under names such as NGate, SuperCard X, and RelayNFC.
Technical evasion: malformed APK packaging to foil automated analysis
Newer NFCShare samples show an intentional packing change: malformed file paths within the APK’s ZIP archive. The APK remains a ZIP archive, but poisoned or malformed internal relative paths can cause some extraction tools to misinterpret those paths as filesystem references and trigger errors. D3Lab cautions that this trick disrupts static analysis in certain tools but does not prevent manual analysis or code recovery.
Researchers told BleepingComputer that despite similarities to other Android malware exploiting NFC chips, NFCShare uses distinct code, libraries, architecture, and implementation details. D3Lab’s Andrea Draghetti said those distinctions exist even as the malware could represent an evolution within a broader ecosystem driven by the same actors.
What this means for technologists, banks, and Android users
- Technologists and security teams: watch for APK distribution via code‑hosting platforms and update detection rules for WebSocket exfiltration patterns tied to NFC-reading behaviors. D3Lab’s note about malformed ZIP paths signals a need to validate extraction tools used in automated analysis pipelines.
- Affected banks and financial institutions: the campaign’s expansion from a single-bank focus in January to multiple banks across Italy and Spain suggests that institutions whose customers were impersonated in APK filenames should review customer‑facing communications and consider alerting customers to the specific social-engineering tactics described.
- Android users and the public: Android users are advised to install banking apps only from Google Play, enable Play Protect, and be cautious when prompted by any “verification request” that asks them to scan or tap an NFC card as part of a security step.
The story assembled by D3Lab and reported to BleepingComputer shows a methodical campaign combining phishing, code-hosting abuse and NFC skimming that has shifted from a narrow to a broader target set since January. The attackers’ use of malformed APK packaging to disrupt automated analysis is a practical reminder that simple changes to packaging and distribution can complicate detection even when the underlying functionality is recoverable by manual investigation.
Source: BleepingComputer — NFCShare Android malware spreads via fake banking app updates on GitHub
