NFCShare Android malware spreads via fake banking-app updates
Malware Activity
Summary
Hide ▲
Show ▼
The NFCShare Android malware is being spread as fake banking-app updates on GitHub, broadening attacks against customers of multiple banks and financial institutions across Europe. The malware uses a phishing site and a fake verification screen to trick victims into placing their cards near the phone’s NFC chip, then reads the card data with Android’s IsoDep interface and EMV commands. It steals the card number, card type, expiry date, and a 4-digit PIN, then sends the data to attacker C2 infrastructure over WebSocket for payment-relay abuse.
Related Happenings
NFCShare fake banking-app update phishing campaign
Campaign
First: 09.06.2026 01:11
Last: 09.06.2026 01:11
Sources 1
How related:
The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.
About this happening:
The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
NFCShare fake banking-app update phishing campaign
CampaignHow related: The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.
About this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
NGate Android Brazil fake-app and fake-lottery campaign
Campaign
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate Android Brazil fake-app and fake-lottery campaign
CampaignAbout this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Timeline
-
09.06.2026 01:11 2 articles · 1h ago
Initial report: NFCShare Android malware spreads via fake banking-app updates
Initial DisclosureAttacks observed starting **May 14** began with a **bank-impersonation phishing site** that redirected victims to a **GitHub repository** hosting a malicious APK posing as a banking-app update.
Show sources
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11