A newly evolved strain of Android malware known as NFCShare is being spread through fake versions of legitimate banking apps, putting mobile users across Europe at serious risk.
The malware is designed to secretly steal payment card data using a phone’s NFC chip, and it has grown into a much broader and more coordinated campaign than when it first appeared.
NFCShare was first spotted in January 2026 when it was caught impersonating Deutsche Bank.
The malware used a fake card-verification screen to trick victims into placing their payment card near their phone, capturing card data over NFC and sending it to an attacker-controlled server.
It also harvested the card PIN before a victim even realized something was wrong. Analysts at d3Lab identified and tracked the malware’s evolution, noting a sharp shift starting around May 14, 2026.
The newer campaign branched out to impersonate multiple Italian and European banking brands, including Intesa Sanpaolo, Banca Sella, Fideuram, Nexi, Mooney, BCC Roma, and Spanish institutions like CaixaBank.
d3Lab said in a report shared with Cyber Security News (CSN) that the core attack method has not changed much, but the operation behind it has grown more polished and evasive.
The actor is now rotating bank brands frequently, rebuilding malicious APKs at a fast pace, and hosting them in a public GitHub repository disguised as a school project. This discipline makes the campaign harder to detect and take down.
Users are lured through phishing websites that look exactly like real banking portals. Once a victim enters their credentials, they are told their banking app needs an update and are directed to download a fake APK.
In some cases, a fake bank operator may call or text the victim to guide them through enabling installs from unknown sources.
New NFCShare Android Malware
The malicious APKs carry names that mirror real banking apps, such as Intesa Carte.apk, Sella Carte.apk, Klirway Carte.apk, Nexi Carte.apk, and CaixaBank.apk, among others.
A victim who downloads one of these files sees what looks like a standard card-verification interface inside a WebView screen, complete with a progress indicator and a PIN entry prompt.
Once the victim places their card near the phone, the malware uses Android’s NFC reader to extract card data using a standard EMV protocol command.
The card number, type, label, and expiry date are packaged and sent over a WebSocket connection to the attacker’s command-and-control server. The PIN is then sent in a second message through the same channel.
Fake card-verification screen asking the victim to bring the card close to the phone (Source – d3Lab)
The phishing flow begins at a fake website, areaclienti-intesa[.]com, which closely mimics Intesa Sanpaolo’s real portal.
After stealing credentials, the site redirects through a shortened URL, ultimately dropping the malicious APK from a GitHub repository named app-scuola, or “school app.” As of early June 2026, that repository contained 57 commits and 56 unique APK payloads.
GitHub-Hosted Payloads and Anti-Analysis Tactics
One of the more notable shifts in this campaign is how the actor is using GitHub as a payload delivery platform.
The repository is disguised with a fake README describing it as a homework app, and a shell script pushes updated APK builds with the commit message “Aggiornato tutto,” meaning “Updated everything” in Italian.
The newer APKs also introduce a trick designed to slow down automated security analysis. The files contain intentionally malformed ZIP paths, which cause simple analysis tools to fail during extraction.
Automated detection pipelines may produce lower match scores or skip the files, buying the attacker more time in the wild.
For defenders, the strongest detection opportunities lie in the internal NFCShare code markers, the WebView and NFC behavior combination, and the malformed APK structure in newer builds.
Analysts are advised to use tools capable of handling non-standard ZIP structures, such as the open-source apkInspector, which can recover family markers and identify the malware even when standard extractors fail.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionPackage Namecom.modol.napObserved across all NFCShare samplesNamespacenfc.share.itnamteisFamily attribution markerC2 Serverws://38[.]47[.]213[.]197:7068/Earlier NFCShare infrastructureC2 Serverws://nfck[.]loseyourip[.]com:8001/Recent campaign infrastructureGitHub Repositoryhttps://github[.]com/antoniocastaldo1998/app-scuolaAPK hosting repositoryPhishing Domainareaclienti-intesa[.]comPhishing website mimicking Intesa SanpaoloShort URLhttps://tinyurl[.]com/Intesa-CarteObserved APK distribution linkAPK FileIntesaCarte.apkMD5: 4f71dc13d349971d76970bde1c6e3be5 / SHA-256: 752f3cacdad6753d4c02bb8e40ef3e0990b55466c18a7b80ec6fa7b9706e40abAPK FileNexiCarte.apkMD5: 63d6aaabe27edd5e60339da122d7d0cd / SHA-256: 6d29e6e5372cd0690e0df62eb6d98938e91191b0e639fed2476497baa8255405APK FileKlirwayCarte.apkMD5: e937ba13a70cf62da5c5a471df866f6b / SHA-256: 7fb836c08ff527443b06d1c20afb6a4b0f51eb373013f211e0d3200bf26527b7APK FileNexiTarjetas.apkMD5: 9ee21d157063fd9023a501ec7f551a56 / SHA-256: cb147e7ce69723523f604da875d78ca4738e5f416d2297910ee179a5067e79feAPK FileBCCRomaCarte.apkMD5: 5ecd01356a39ecf540883ff8171b3677 / SHA-256: 091870b3f90c9a98000e0d14a67be2db5891ce98a0b1e24b721e3d96241620a5APK FileSellaNFC.apkMD5: fcfd090aa00fe9388da6d20cd2326058 / SHA-256: 3c81526bcb801d7dcfaea7f379528471d745a36e3c1bdc41877b4bed34b5dce6APK FileFideuramCarte1.apkMD5: dea4c7344a8ab14de16a1018a6e5ccfd / SHA-256: 9e95912f1a5fdba5050723f095b7031770b7e2f9627fb60544b41adcbb5b3306APK FileBancaSellaCarte.apkMD5: 45ee3983a7c1133f267af09173668864 / SHA-256: 090a30252991830596c75a945885ca3100d7a40edf4a16d78abd5bbfd90ba268APK FileMooneyCarte.apkMD5: ded72aeca28a3a63ca1fcb851735689 6 / SHA-256: 20b5551b2158f599517f29316884b00e0af6ae3a3bd782909f4b36fca1595698APK FileSellaCarte.apkMD5: 19e201749611c757b4605635e8521bba / SHA-256: 0024620136cf4239544da4768edf7ec7a398e3b610a471033511305ccf670c42APK FileCaixaBank.apkMD5: d9e524c5a75ad511b802f35488f6af5d / SHA-256: 9fa08e172f73daa3ec8c2fb607b8500bdf915dbf09fcde5a46381e042266149eAPK FileCaixaBankNfc.apkMD5: b16928f4e8447778388e785f746434b3 / SHA-256: b0e288e8ac116bc1db13536dee2060f7ebdebc4524cba9147132ed633e028ceeAPK FileCaixaReactivaTarjeta.apkMD5: 8300753f9500ab04ad5bb9920f2d2053 / SHA-256: 51f7b3f6991bc6253d33e6b93f4e0429957f3d54d967c461dbb82ea2a4694e12
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps appeared first on Cyber Security News.
