NFCShare fake banking-app update phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The NFCShare phishing campaign is using fake banking-app updates on GitHub to steal payment card data from customers of multiple banks across Europe, expanding the theft risk across a broad financial-services target set. The operation combines impersonated bank login pages, deceptive update prompts, and malicious Android packages to capture card details and a 4-digit PIN. It matters because the theft path is built for reusable fraud against bank customers rather than a single isolated lure.
Related Happenings
NFCShare Android malware spreads via fake banking-app updates
Malware Activity
First: 09.06.2026 01:11
Last: 09.06.2026 01:11
Sources 1
How related:
New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.
About this happening:
The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...
NFCShare Android malware spreads via fake banking-app updates
Malware ActivityHow related: New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.
About this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...
NGate Android Brazil fake-app and fake-lottery campaign
Campaign
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate Android Brazil fake-app and fake-lottery campaign
CampaignAbout this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Telegram-linked Digital Lutera Android payment-fraud campaign
Campaign
First: 17.03.2026 18:30
Last: 17.03.2026 18:30
Sources 1
About this happening:
A **Telegram-linked Android payment-fraud campaign** is actively coordinating access attempts and sharing intercepted login data, increasing the risk of **account takeover** and f...
Telegram-linked Digital Lutera Android payment-fraud campaign
CampaignAbout this happening: A **Telegram-linked Android payment-fraud campaign** is actively coordinating access attempts and sharing intercepted login data, increasing the risk of **account takeover** and f...
BeatBanker Android phishing campaign targeting Brazilian users
Campaign
First: 12.03.2026 09:56
Last: 12.03.2026 09:56
Sources 1
About this happening:
A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
BeatBanker Android phishing campaign targeting Brazilian users
CampaignAbout this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...
Timeline
-
09.06.2026 01:11 1 articles · 1h ago
GitHub repository starts hosting NFCShare banking-app APKs
Campaign Scope UpdateA GitHub repository used for NFCShare distribution is created on April 10 and goes on to host 56 unique APKs that impersonate mobile banking apps, primarily for banks in Italy and Spain, widening the malware distribution infrastructure.
Show sources
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11
-
09.06.2026 01:11 1 articles · 1h ago
Phishing sites push bank customers to NFCShare malicious APKs
Exploitation ObservedBeginning May 14, victims across Europe visit phishing sites that impersonate real banks, are prompted to update a banking app, and are redirected to a GitHub repository hosting a malicious APK; after a fake verification screen asks them to place a card near the device NFC chip, NFCShare reads the card using Android’s IsoDep interface and EMV commands.
Show sources
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11
-
09.06.2026 01:11 2 articles · 1h ago
Researchers report NFCShare variants targeting bank customers across Europe
Technical Analysis UpdateD3Lab, which first documented NFCShare in January 2026, reports new variants of the Android malware being distributed as fake updates for legitimate banking apps hosted on GitHub, targeting customers of multiple banks and financial institutions across Europe; the newer samples add malformed APK packaging to hinder automated analysis, while the malware steals the card number, type, expiry date, and a 4-digit PIN before exfiltrating them to a C2 host over WebSocket.
Show sources
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11
- NFCShare Android malware spreads via fake banking app updates on GitHub — www.bleepingcomputer.com — 09.06.2026 01:11