NFCShare Android Malware Steals Card Data via NFC | RECATOOLS — Practical Tools. Trusted Intelligence.

Hands using a contactless credit card on a payment terminal with a stylish minimal background. Photo by Towfiqu barbhuiya on Pexels

CYBERSECURITY · 16 Jun 2026 —

A renewed wave of an Android banking trojan called NFCShare is tricking people into handing over their payment-card details by abusing the contactless (NFC) chip in their own phones. According to the Italian threat-intelligence firm D3Lab, which first documented the malware in January 2026 and has tracked its evolution, the current campaign has been running since around 14 May 2026 and has expanded from a Deutsche Bank-themed lure to impersonating Italian, Spanish and other European banking brands. The mechanics are unusual, but the defence is straightforward — and it comes down mostly to not installing the fake "update" that starts the whole chain.

How the scam works

The attack begins as a fairly ordinary phishing lure and then takes an unusual turn. A victim lands on a website built to look like their real bank and is asked to enter their online-banking credentials. The site then tells them their banking app must be updated and sends them — via a shortened link — to a malicious Android app file hosted in a public code repository on GitHub, disguised to look like an innocuous project. Because the file is delivered outside the official app store, installing it means sideloading software the bank never published. GitHub is being abused here purely as a hosting location for the malicious files; the reporting does not indicate GitHub itself was compromised.

Once installed, the app shows a fake "card verification" screen and instructs the victim to hold their physical payment card against the back of the phone. At that moment the malware uses the phone's NFC reader to pull data off the card — the card number, card type and expiry date — and also captures a four-digit PIN that the victim is prompted to enter as a supposed security step. According to D3Lab's analysis as reported by BleepingComputer, that information is then sent to an attacker-controlled server, where it can be used in NFC payment-relay fraud: the same class of technique seen in earlier malware families such as NGate, SuperCard X and RelayNFC, where stolen card data is replayed to authorise payments the cardholder never made.

D3Lab researcher Andrea Draghetti noted that NFCShare uses distinct code and architecture compared with other NFC-abusing Android malware, while cautioning it could still be an evolution of the same broader criminal ecosystem. The researchers also noted that phone calls or text messages impersonating bank staff may form part of the social-engineering pressure, as seen in similar campaigns — though they said they did not directly observe that in this wave.

Who is being targeted

In January, when D3Lab first documented NFCShare, it impersonated only Deutsche Bank in Germany. The current wave is broader: D3Lab's analysis lists dozens of distinct app files impersonating a range of European banks, with the lures weighted toward Italian institutions — among them Intesa, Banca Sella, Nexi, Fideuram and Mooney — and Spanish customers, with CaixaBank among the impersonated brands. Those banks are targets of impersonation here, not the source of the problem; the point for their customers is simply that a convincing-looking "[your bank] card" app circulating outside the official store should be treated as hostile.

Two operational details make this campaign harder to catch. The attackers rotate brands and rebuild the malicious app files frequently, which helps each fresh build slip past signature-based detection. And newer samples deliberately malform the internal structure of the Android package so that some automated analysis tools fail to unpack them — an evasion aimed at researchers and security tooling rather than at the victim.

Why the NFC angle matters beyond Europe

The geography of this campaign is European, but the technique is portable, which is the part worth attention elsewhere. The ingredients — a credential-phishing site, a "you must update your app" prompt, sideloading from a link, and a fake in-app screen that asks you to tap your card — do not depend on any particular country or bank. Contactless cards and NFC-equipped Android phones are everywhere, and relay fraud only needs the card data and PIN, not physical theft of the card. The technique is portable to any market with contactless cards, NFC-capable Android phones and users willing to sideload bank-themed APKs, which is why the defensive habits below are worth building now rather than after a local wave appears.

How to stay safe

The choke point is the victim's own action, so a few habits defeat this entirely. Update banking apps only from the official app store — never from a link in a message, email or website, and never from a code-sharing site. Treat any prompt to "update your banking app" that arrives through a webpage or text as a red flag rather than an instruction. Be deeply suspicious of any app that asks you to hold your bank card to your phone or to type your card PIN into a verification screen: a legitimate banking app has no need to read your physical card over NFC or to collect your PIN that way. On Android, keep Google Play Protect enabled and avoid enabling installation from unknown sources unless you have a specific, trusted reason. And if you have already entered card details or a PIN into something like this, contact your bank immediately to block the card, and change any banking credentials you entered on the preceding phishing page.

Key Takeaways

D3Lab reports a new wave of the NFCShare Android trojan, active since around 14 May 2026, that poses as banking-app updates hosted on GitHub and steals payment-card data via the phone's NFC chip.
The chain: a bank-themed phishing site harvests online-banking credentials, then pushes a fake "app update" that is actually a sideloaded malicious APK; an in-app screen tells the victim to tap their card and enter a PIN.
The malware exfiltrates the NFC-read card data (number, type, expiry) plus the four-digit PIN the victim is tricked into typing, sending it to the attackers for NFC payment-relay fraud — the same class of technique as NGate, SuperCard X and RelayNFC.
The wave impersonates Italian banks (Intesa, Banca Sella, Nexi, Fideuram, Mooney) and Spanish customers (CaixaBank among them); brands are rotated and APKs rebuilt frequently to evade signature detection, with malformed packaging to hinder analysis.
Defence is user-side and simple: update banking apps only from the official store, never tap your card or enter a PIN into an app that asks you to "verify," keep Play Protect on, and if you have already complied, call your bank to block the card.

Cyber Team's VerdictAdvisory

NFCShare is a good reminder that some of the most effective fraud does not break cryptography or exploit a clever zero-day — it exploits the user's willingness to follow a plausible instruction. The verifiable core here is solid: a named research firm, D3Lab, has tracked this malware since January, the current wave has been active since mid-May, and the method is consistent across multiple independent reports — a fake bank-app update, delivered via GitHub, that turns the phone's NFC reader into a card skimmer and harvests the PIN. What makes it dangerous is not technical sophistication but social engineering, and what makes it beatable is the same thing: the entire chain depends on the victim sideloading an app and tapping a card. For defenders advising customers or staff, the message is narrow and practical — banking apps come only from the official store, no legitimate app asks you to tap your card to "verify" it, and a card PIN typed into an app screen should set off alarms. The relay-fraud technique can spread to new markets, but the user-side defence does not change.

Sources & cross-checks

Primary: D3Lab (Andrea Draghetti), "NFCShare evolves: from a banking phishing APK to a GitHub-hosted Android NFC fraud campaign" (8 Jun 2026) — the January 2026 origin (Deutsche Bank), the 14 May 2026 wave, the fake bank-update flow, the GitHub-hosted APKs, the NFC card-read mechanism, the victim-typed PIN, WebSocket exfiltration, the impersonated-brand list, and the anti-analysis packaging — https://www.d3lab.net/nfcshare-evolves-from-a-banking-phishing-apk-to-a-github-hosted-android-nfc-fraud-campaign/
Corroborated: Cyber Security News (citing a D3Lab report shared with it) — the Deutsche Bank origin, the mid-May pivot to Italian and Spanish brands, the school-project repository disguise, and the malformed-package evasion — https://cybersecuritynews.com/new-nfcshare-android-malware-delivered-via-weaponized-versions/
Verified: GitHub is described only as an abused hosting platform, not as compromised; the impersonated banks are treated as lure brands, not breached entities; the PIN is the value the victim types into the fake screen (not read from the card); and live phishing domains, shortened URLs, the repository identifier, C2 endpoints and file hashes are intentionally omitted to avoid aiding abuse.

Tags: #Banking #Phishing #nfcshare #android-malware #nfc-fraud

Cyber Team

Cybersecurity Desk

Cyber Team is RECATOOLS’ cybersecurity desk, covering vulnerabilities, breaches, threat intelligence, and practical security guidance.

View author profile → · Editorial policy

About this byline Cyber Team is a specialist RECATOOLS editorial desk focused on cybersecurity coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.