Researchers at D3Lab warn that new versions of the NFCShare Android malware are spreading as fake updates for real banking apps, hosted on GitHub to look legitimate. Targeting customers of European banks, the malware shows a fake verification screen that tells victims to hold their payment card against the phone. It then uses the phone's NFC chip to read the card number, type, and expiry, and tricks the victim into typing their 4-digit PIN, sending it all to the attacker's server. That stolen data feeds NFC relay fraud, where criminals use it to make contactless payments or withdrawals. The malware only works if users sideload it.