A sophisticated Android malware called NFCShare is having a moment. What started in January as a narrowly targeted trojan going after Deutsche Bank customers in Germany has exploded into a pan-European campaign hitting banks in Italy and Spain — and it’s using GitHub as its distribution platform.
How the Attack Works
The scheme opens with a phishing site impersonating a real bank. Victims land on it, enter their banking credentials, and are then told they need to update their banking app. The “update” link points to a GitHub repository hosting a malicious APK file. Some victims may also get SMS messages or phone calls from people pretending to be bank representatives, adding pressure to install the fake app.
Once installed, NFCShare does something clever and deeply uncomfortable. It presents a fake verification screen asking the user to tap their payment card against the phone’s NFC chip — framed as a security step. The malware then uses Android’s IsoDep interface and EMV commands to read the card number, type, expiry date, and the 4-digit PIN the victim enters. All of it gets shipped to the attacker’s command-and-control server over a WebSocket connection.
That stolen data feeds directly into NFC payment relay schemes — the same technique documented in NGate, SuperCard X, and RelayNFC attacks — where criminals use the intercepted card data to make contactless payments in real time.
What’s New in This Campaign
D3Lab, the research firm that first documented NFCShare in January, has been tracking its evolution. The GitHub repository used in the current campaign was created on April 10 and has since hosted 56 unique APKs impersonating apps for banks including Intesa, Sella, Nexi, Fideuram, Mooney, and CaixaBank.
The malware authors have also added a new evasion trick: malformed APK packaging. The APK is still a ZIP archive, but the samples include poisoned file paths inside the ZIP that cause certain extraction tools to choke on relative paths. It won’t stop a determined analyst, but it disrupts automated static analysis pipelines — enough to buy the malware a few more hours of undetected operation.
According to D3Lab researcher Andrea Draghetti, NFCShare uses distinct code, libraries, and architecture compared to other NFC-exploiting Android malware. That said, it could still be an evolution of the same threat ecosystem — the same actors refining their tools.
What You Should Do
This one’s straightforward. Only install banking apps from Google Play. Enable Google Play Protect. And if anyone — your bank, a pop-up, a phone call — asks you to tap your card against your phone for “verification,” that’s a red flag. Banks don’t do that.
If you think you’ve installed a fake banking app, uninstall it immediately, contact your bank, and monitor your card transactions. Consider requesting a replacement card if you entered your PIN during any “verification” process.
The Bigger Picture
NFCShare is part of a growing wave of NFC relay malware targeting European banking customers. The shift to GitHub as a distribution channel is notable — it gives the malicious APKs a veneer of legitimacy and makes takedowns more complicated since GitHub has to balance security with its role as a development platform. Expect more campaigns like this. The NFC attack surface on Android is real, and the social engineering around it is getting sharper.
