A newly evolved strain of Android malware known as NFCShare is being spread through fake versions of legitimate banking apps, putting mobile users across Europe at serious risk.
The malware is designed to secretly steal payment card data using a phone’s NFC chip, and it has grown into a much broader and more coordinated campaign than when it first appeared.
NFCShare was first spotted in January 2026 when it was caught impersonating Deutsche Bank.
The malware used a fake card-verification screen to trick victims into placing their payment card near their phone, capturing card data over NFC and sending it to an attacker-controlled server.
It also harvested the card PIN before a victim even realized something was wrong. Analysts at d3Lab identified and tracked the malware’s evolution, noting a sharp shift starting around May 14, 2026.
The newer campaign branched out to impersonate multiple Italian and European banking brands, including Intesa Sanpaolo, Banca Sella, Fideuram, Nexi, Mooney, BCC Roma, and Spanish institutions like CaixaBank.
d3Lab said in a report shared with Cyber Security News (CSN) that the core attack method has not changed much, but the operation behind it has grown more polished and evasive.
The actor is now rotating bank brands frequently, rebuilding malicious APKs at a fast pace, and hosting them in a public GitHub repository disguised as a school project. This discipline makes the campaign harder to detect and take down.
Users are lured through phishing websites that look exactly like real banking portals. Once a victim enters their credentials, they are told their banking app needs an update and are directed to download a fake APK.
In some cases, a fake bank operator may call or text the victim to guide them through enabling installs from unknown sources.
The malicious APKs carry names that mirror real banking apps, such as Intesa Carte.apk, Sella Carte.apk, Klirway Carte.apk, Nexi Carte.apk, and CaixaBank.apk, among others.
A victim who downloads one of these files sees what looks like a standard card-verification interface inside a WebView screen, complete with a progress indicator and a PIN entry prompt.
Once the victim places their card near the phone, the malware uses Android’s NFC reader to extract card data using a standard EMV protocol command.
The card number, type, label, and expiry date are packaged and sent over a WebSocket connection to the attacker’s command-and-control server. The PIN is then sent in a second message through the same channel.
.webp)
The phishing flow begins at a fake website, areaclienti-intesa[.]com, which closely mimics Intesa Sanpaolo’s real portal.
After stealing credentials, the site redirects through a shortened URL, ultimately dropping the malicious APK from a GitHub repository named app-scuola, or “school app.” As of early June 2026, that repository contained 57 commits and 56 unique APK payloads.
GitHub-Hosted Payloads and Anti-Analysis Tactics
One of the more notable shifts in this campaign is how the actor is using GitHub as a payload delivery platform.
The repository is disguised with a fake README describing it as a homework app, and a shell script pushes updated APK builds with the commit message “Aggiornato tutto,” meaning “Updated everything” in Italian.
The newer APKs also introduce a trick designed to slow down automated security analysis. The files contain intentionally malformed ZIP paths, which cause simple analysis tools to fail during extraction.
Automated detection pipelines may produce lower match scores or skip the files, buying the attacker more time in the wild.
For defenders, the strongest detection opportunities lie in the internal NFCShare code markers, the WebView and NFC behavior combination, and the malformed APK structure in newer builds.
Analysts are advised to use tools capable of handling non-standard ZIP structures, such as the open-source apkInspector, which can recover family markers and identify the malware even when standard extractors fail.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Package Name | com.modol.nap | Observed across all NFCShare samples |
| Namespace | nfc.share.itnamteis | Family attribution marker |
| C2 Server | ws://38[.]47[.]213[.]197:7068/ | Earlier NFCShare infrastructure |
| C2 Server | ws://nfck[.]loseyourip[.]com:8001/ | Recent campaign infrastructure |
| GitHub Repository | https://github[.]com/antoniocastaldo1998/app-scuola | APK hosting repository |
| Phishing Domain | areaclienti-intesa[.]com | Phishing website mimicking Intesa Sanpaolo |
| Short URL | https://tinyurl[.]com/Intesa-Carte | Observed APK distribution link |
| APK File | IntesaCarte.apk | MD5: 4f71dc13d349971d76970bde1c6e3be5 / SHA-256: 752f3cacdad6753d4c02bb8e40ef3e0990b55466c18a7b80ec6fa7b9706e40ab |
| APK File | NexiCarte.apk | MD5: 63d6aaabe27edd5e60339da122d7d0cd / SHA-256: 6d29e6e5372cd0690e0df62eb6d98938e91191b0e639fed2476497baa8255405 |
| APK File | KlirwayCarte.apk | MD5: e937ba13a70cf62da5c5a471df866f6b / SHA-256: 7fb836c08ff527443b06d1c20afb6a4b0f51eb373013f211e0d3200bf26527b7 |
| APK File | NexiTarjetas.apk | MD5: 9ee21d157063fd9023a501ec7f551a56 / SHA-256: cb147e7ce69723523f604da875d78ca4738e5f416d2297910ee179a5067e79fe |
| APK File | BCCRomaCarte.apk | MD5: 5ecd01356a39ecf540883ff8171b3677 / SHA-256: 091870b3f90c9a98000e0d14a67be2db5891ce98a0b1e24b721e3d96241620a5 |
| APK File | SellaNFC.apk | MD5: fcfd090aa00fe9388da6d20cd2326058 / SHA-256: 3c81526bcb801d7dcfaea7f379528471d745a36e3c1bdc41877b4bed34b5dce6 |
| APK File | FideuramCarte1.apk | MD5: dea4c7344a8ab14de16a1018a6e5ccfd / SHA-256: 9e95912f1a5fdba5050723f095b7031770b7e2f9627fb60544b41adcbb5b3306 |
| APK File | BancaSellaCarte.apk | MD5: 45ee3983a7c1133f267af09173668864 / SHA-256: 090a30252991830596c75a945885ca3100d7a40edf4a16d78abd5bbfd90ba268 |
| APK File | MooneyCarte.apk | MD5: ded72aeca28a3a63ca1fcb851735689 6 / SHA-256: 20b5551b2158f599517f29316884b00e0af6ae3a3bd782909f4b36fca1595698 |
| APK File | SellaCarte.apk | MD5: 19e201749611c757b4605635e8521bba / SHA-256: 0024620136cf4239544da4768edf7ec7a398e3b610a471033511305ccf670c42 |
| APK File | CaixaBank.apk | MD5: d9e524c5a75ad511b802f35488f6af5d / SHA-256: 9fa08e172f73daa3ec8c2fb607b8500bdf915dbf09fcde5a46381e042266149e |
| APK File | CaixaBankNfc.apk | MD5: b16928f4e8447778388e785f746434b3 / SHA-256: b0e288e8ac116bc1db13536dee2060f7ebdebc4524cba9147132ed633e028cee |
| APK File | CaixaReactivaTarjeta.apk | MD5: 8300753f9500ab04ad5bb9920f2d2053 / SHA-256: 51f7b3f6991bc6253d33e6b93f4e0429957f3d54d967c461dbb82ea2a4694e12 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.