NFCShare
NFCShare is an Android banking trojan/malware family used in phishing campaigns to steal payment card data via NFC. It has been distributed as fake updates for legitimate banking apps, including malicious APKs hosted on GitHub repositories. Researchers reported that victims are first lured to phishing sites impersonating real banks, where they are asked for banking credentials and then prompted to install a supposed banking app update; related lures may also involve SMS messages or phone calls from fake bank representatives, although those were not directly observed in the analyzed cases.
The malware uses social engineering to present a fake verification flow that instructs victims to place a payment card near the phone’s NFC reader and to enter a 4-digit PIN. Technically, it uses Android’s IsoDep interface and EMV commands to read card data from scanned payment cards. Reported stolen data includes the payment card number, card type, expiry date, and the victim-entered PIN. The collected information is exfiltrated to attacker-controlled infrastructure over a WebSocket channel and may be used for NFC payment relay fraud. Reporting linked the abuse pattern to previously documented NGate, SuperCard X, and RelayNFC-style attacks, although D3Lab stated NFCShare has distinct code, libraries, architecture, and implementation details; it may still be part of the same broader criminal ecosystem.
D3Lab first documented NFCShare in January 2026, initially in a Deutsche Bank-themed phishing campaign in Germany. Later campaigns expanded to target customers of multiple banks and financial institutions across Europe, especially banks in Italy and Spain. One observed GitHub repository created on April 10 hosted 56 unique APKs impersonating banking apps, including names such as Intesa Carte.apk, Sella Carte.apk, Banca Sella Carte.apk, Nexi Carte.apk, Fideuram Carte.apk, Mooney Carte.apk, CaixaBank.apk, CaixaBankNfc.apk, and CaixaReactivaTarjeta.apk.
Newer NFCShare samples introduced malformed APK packaging intended to hinder automated analysis and possibly some security tools. The APKs remain ZIP archives but contain poisoned or malformed internal file paths that can cause some extraction tools to mis-handle paths and error out, though this does not prevent manual analysis or code recovery.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Stealth
2 techniques
Stealth
Credential Access
2 techniques
Credential Access
Collection
2 techniques
Collection
Command and Control
1 technique
Command and Control
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android malware distributed via phishing sites and malicious APKs masquerading as banking app updates. It tricks victims into scanning payment cards over NFC, captures card number, type, expiry date, and a 4-digit PIN, and exfiltrates the data to a C2 server over WebSocket for use in NFC payment relay fraud.
Android trojan focused on NFC card data theft delivered via a malicious APK (per the article title).
Android trojan focused on NFC card data theft, delivered via a malicious APK.
Android NFC relay malware distributed via a Deutsche Bank-themed phishing lure; reads NFC card data and exfiltrates it to a remote WebSocket endpoint; infrastructure overlaps noted with SuperCard X activity (Nov 2025).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.