A sophisticated variant of Android malware, named NFCShare, is posing a significant threat to mobile users across Europe by masquerading as legitimate banking applications. This malware is engineered to covertly extract payment card data using the NFC chip embedded in smartphones, marking an expansion from its initial appearance.
Evolution and Expansion of NFCShare
Initially detected in January 2026, NFCShare first emerged by imitating Deutsche Bank’s app. It employs a deceptive card-verification screen, prompting users to place their payment card near the device, thereby capturing sensitive card data and transmitting it to a server controlled by attackers. Notably, the malware also records the card’s PIN before the victim becomes aware of the breach.
Security experts at d3Lab have monitored the malware’s progression, observing a marked escalation from mid-May 2026. The campaign has since broadened to mimic various Italian and European banking brands, including Intesa Sanpaolo, Banca Sella, and others, extending its reach to Spanish banks like CaixaBank.
Phishing Tactics and Distribution Channels
d3Lab’s report, shared with Cyber Security News (CSN), highlights the persistence of the core attack method but notes a refinement in execution. The cybercriminals frequently change the banking brands they impersonate, rapidly recreating malicious APKs and distributing them via a GitHub repository disguised as an educational project, complicating detection efforts.
Victims are directed to phishing websites, which closely resemble legitimate banking portals. After entering their credentials, users are misled into downloading a counterfeit APK under the guise of a necessary app update. In some cases, attackers further deceive victims through fake communication, instructing them to enable installations from unknown sources.
Technical Insights and Security Recommendations
The fake APKs bear names that mimic genuine banking apps, such as Intesa Carte.apk and CaixaBank.apk. Upon installation, the malware presents a standard-looking card-verification interface, leveraging Android’s NFC reader to execute EMV protocol commands and siphon card information, which is then relayed to the attackers’ command-and-control server.
One significant shift in the campaign is the utilization of GitHub as a delivery platform. The repository is masked as a school project with a misleading README file, and updates are pushed with messages in Italian. Moreover, new APK versions incorporate tactics to thwart security analysis, such as using malformed ZIP paths to disrupt simple detection tools.
For cybersecurity defenders, the key to identifying NFCShare lies in examining the internal code markers, the interplay of WebView and NFC functions, and the unique structure of the APK files. Tools like apkInspector, capable of handling non-standard ZIP formats, are recommended for effective detection and analysis.
This ongoing threat underscores the importance of vigilance and the need for robust security measures to protect against evolving mobile threats. As the campaign continues to adapt, staying informed and employing advanced security tools are crucial for safeguarding sensitive data.
