NFCShare
NFCShare is an Android banking trojan distributed as fake updates or fake versions of legitimate banking apps. It has targeted mobile banking users across Europe, with reporting that it was first observed in January 2026 impersonating Deutsche Bank in Germany and later expanded to impersonate multiple banks and financial institutions, especially in Italy and Spain, including Intesa Sanpaolo, Banca Sella, Fideuram, Nexi, Mooney, BCC Roma, and CaixaBank. Victims are lured to phishing sites that mimic real banking portals, asked to enter banking credentials, and then prompted to download a malicious APK, in some cases from a public GitHub repository disguised as a school project. Some reporting also notes social engineering via fake bank operators calling or texting victims to help them enable installation from unknown sources.
The malware’s core capability is theft of payment card data via the phone’s NFC interface. It presents a fake card-verification flow in a WebView, prompts the victim to place a payment card near the device, reads card data using Android NFC functionality and EMV/IsoDep commands, and captures the victim’s PIN entered into the app. Reported stolen fields include card number, card type, card label, and expiry date. The malware exfiltrates the card data and PIN to attacker-controlled infrastructure over WebSocket. The stolen information has been assessed as usable for NFC payment relay fraud.
Operationally, the campaign has been described as rapidly rotating impersonated banking brands and rebuilding APKs frequently. Malicious APKs were hosted in the GitHub repository github[.]com/antoniocastaldo1998/app-scuola, which reportedly contained dozens of unique APK payloads and used a fake README describing the project as homework software. Observed APK names included Intesa Carte.apk, Sella Carte.apk, Klirway Carte.apk, Nexi Carte.apk, Fideuram Carte.apk, Mooney Carte.apk, CaixaBank.apk, CaixaBankNfc.apk, and CaixaReactivaTarjeta.apk. Newer samples reportedly introduced malformed ZIP paths inside APKs to hinder automated extraction and reduce detection by some analysis pipelines.
High-confidence family markers and infrastructure mentioned in the reporting include package name com.modol.nap, namespace nfc.share.itnamteis, phishing domain areaclienti-intesa[.]com, shortened lure URL tinyurl[.]com/Intesa-Carte, and WebSocket C2 endpoints ws://38[.]47[.]213[.]197:7068/ and ws://nfck[.]loseyourip[.]com:8001/. D3Lab is the primary researcher cited as tracking the malware’s discovery and evolution. Reporting notes similarities in abuse pattern to other NFC-focused Android threats such as NGate, SuperCard X, and RelayNFC, while also stating NFCShare has distinct code, libraries, architecture, and implementation details.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
The repository is disguised with a fake README describing it as a homework app, and a shell script pushes updated APK builds with the commit message “Aggiornato tutto,” meaning “Updated everything” in Italian.
After stealing credentials, the site redirects through a shortened URL, ultimately dropping the malicious APK from a GitHub repository named app-scuola... In some cases, a fake bank operator may call or text the victim to guide them through enabling installs from unknown sources.
Stealth
2 techniques
Stealth
Credential Access
2 techniques
Credential Access
Collection
2 techniques
Collection
Command and Control
1 technique
Command and Control
IOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android malware distributed via phishing sites and fake banking APKs that steals banking credentials, payment card data via the phone’s NFC reader using EMV commands, and card PINs, then exfiltrates the data to attacker-controlled C2 infrastructure over WebSocket.
Android malware distributed via phishing sites and malicious APKs masquerading as banking app updates. It tricks victims into scanning payment cards over NFC, captures card number, type, expiry date, and a 4-digit PIN, and exfiltrates the data to a C2 server over WebSocket for use in NFC payment relay fraud.
Android trojan focused on NFC card data theft delivered via a malicious APK (per the article title).
Android trojan focused on NFC card data theft, delivered via a malicious APK.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.