NFCShare Android malware variants are distributed as fake updates for legitimate banking apps via GitHub repositories. The malware targets European bank customers by phishing for banking credentials and then prompting victims to scan their payment cards near their device's NFC chip. Using Android's IsoDep interface and EMV commands, NFCShare extracts card data and a 4-digit PIN entered by the victim, sending this information over WebSocket to a command-and-control server. This data can facilitate NFC payment relay fraud. The malware's distribution includes social engineering through phishing sites and potentially SMS or calls. Newer samples include malformed APK packaging to disrupt automated static analysis tools. The malware was first documented in January 2026 and has evolved from targeting a single bank in Germany to multiple banks primarily in Italy and Spain.

The malware enables attackers to steal sensitive payment card information and PINs from victims, which can be used to conduct NFC payment relay attacks and potentially fraudulent transactions. This compromises the confidentiality and integrity of victims' financial data. The attack targets banking app users in Europe, primarily Italy and Spain, expanding from an initial focus on Germany. The use of social engineering and fake app updates increases the risk of successful infection.

Users should only download banking apps and updates from official sources such as Google Play and avoid installing APKs from third-party sites like GitHub. Enabling Google Play Protect can help detect malicious apps. Users should be cautious of unsolicited verification requests that prompt NFC card scans. Security teams should educate users about phishing tactics involving fake banking sites and app updates. Since this is malware distributed via social engineering, no official patch applies; mitigation relies on user awareness and safe app sourcing.