← All articles

NFCShare Android malware poses as bank app updates to steal card data

Researchers at D3Lab warn that new versions of the NFCShare Android malware are spreading as fake updates for real banking apps, hosted on GitHub to look legitimate. Targeting customers of European banks, the malware shows a fake verification screen that tells victims to hold their payment card against the phone. It then uses the phone's NFC chip to read the card number, type, and expiry, and tricks the victim into typing their 4-digit PIN, sending it all to the attacker's server. That stolen data feeds NFC relay fraud, where criminals use it to make contactless payments or withdrawals. The malware only works if users sideload it.

Check
On managed Android devices, look for banking apps installed from outside Google Play and any app that requests an NFC card scan during a verification step.
Affected
Android users, mainly customers of European banks, who sideload fake banking app updates from GitHub or other non-Play sources and follow prompts to scan their cards.
Fix
Install banking apps only from Google Play, keep Play Protect enabled, and never scan a payment card or enter a PIN in response to an in-app verification prompt.