NFCShare Android malware pressures bank customers via fake GitHub updates

CybersecurityJune 9, 2026 at 12:30 AM

NFCShare Android malware pressures bank customers via fake GitHub updates

Read full story

Source: Bleeping Computer

TLDR: LONDON—NFCShare Android malware spreads through fake banking APK updates on GitHub, then steals NFC card data and a 4 digit PIN in Europe.

Key Takeaways:

D3Lab tracked NFCShare since April 10, starting with Deutsche Bank, then expanding to banks across Italy and Spain.
Attacks began after a phishing site and then a GitHub redirected update, using an NFC tap flow to harvest card fields and a 4 digit PIN.
Malformed APK paths disrupt static analysis tools, but security teams can still stop the attack by tightening Play Protect and app sourcing controls.

Cybercriminals are using GitHub the way banks use app stores, except the “update” is a trap. The NFC tap request makes the theft feel like a routine security step, until it is too late. 🛡️

No comments yet. Be the first to share your thoughts!

Cybercriminals are using GitHub the way banks use app stores, except the “update” is a trap. The NFC tap request makes the theft feel like a routine security step, until it is too late. 🛡️

Q&A

Why does the malware focus on an NFC verification step instead of stealing passwords directly?

Because EMV and NFC offer a direct path to card data and a user entered PIN at the moment of supposed verification, making the theft look like ordinary wallet behavior.

What does the use of GitHub hosting say about how attackers scale mobile fraud?

GitHub lets attackers rapidly swap APK builds and impersonate legitimate distribution patterns without running traditional malware hosting infrastructure.

If attackers want the 4 digit PIN, what user signals make the scheme more likely to work?

Urgency and legitimacy cues like bank logos plus a prompted NFC scan encourage victims to complete the flow without treating the request as suspicious.

How could the malformed APK packaging change the defender workflow?

It can delay triage by breaking some static scanners, so teams may need stronger sandboxing and manual review procedures for suspicious packages.

What should defenders assume about future NFC relay and PIN harvesting campaigns after NFCShare?

They will likely reuse the same social engineering landing and update pattern while rotating bank targets and APK packaging tricks to evade detection.