NFCShare Android NFC Fraud Campaign Impersonating Deutsche Bank

Executive Summary

In June 2026, D3 lab researchers reported on a new banking trojan. NFCShare is an Android banking trojan initially distributed as a malicious Android Package file (APK) through a phishing flow impersonating Deutsche Bank. The malware presents a fake card-verification interface, prompts the victim to place a payment card near the phone, collects the card PIN, and exfiltrates NFC-derived payment-card data to a WebSocket endpoint.

Since 14 May 2026, a newer wave of NFCShare APKs has been observed impersonating Italian and European banking brands, originating from a phishing website (areaclienti-intesa[.]com) mimicking Intesa Sanpaolo. The evolution is in campaign operations and analysis resistance: the actor is rotating brands, rebuilding APKs frequently, using URL shorteners, hosting payloads in a public GitHub repository disguised as a school project, and shipping APKs with malformed ZIP paths that can break automated extractors.

Key Takeaways

  • The core NFC and exfiltration logic remains largely unchanged. The relevant evolution is operational and anti-analysis oriented: more frequent APK rebuilds, brand rotation, a new C2 endpoint, a 10-DEX layout, and malformed ZIP paths designed to break naive APK extractors.
  • The GitHub repository used for hosting is named “app-scuola” (roughly “school app”), with a decoy README. As of 5 June 2026, the repository contains 57 commits starting 10 April 2026, with the vast majority using the commit message “Aggiornato tutto” (“Updated everything”).
  • Victims may also receive an SMS or phone call from a fake bank operator who guides them through the process, including enabling Android installation from unknown sources in order to sideload the APK.
  • The most important technical evolution is the packaging: newer APKs contain malformed ZIP entries such as paths rooted under /AndroidManifest.xml/, /classes.dex/, and /resources.arsc/. Simple extraction tools may try to write those entries as absolute paths, causing extraction failures.
  • For defenders, the most resilient detection opportunities are not the APK filename or the C2 endpoint, but the internal NFCShare code markers, the WebView/NFC behavior combination, and the malformed APK structure introduced in the newer builds.

Indicators of Compromise (IOCs)

Network IOCs

Type

Indicator

Context

C2 WebSocket

ws://38[.]47[.]213[.]197:7068/

Earlier NFCShare infrastructure

C2 WebSocket

ws://nfck[.]loseyourip[.]com:8001/

Recent campaign infrastructure

Phishing Domain

areaclienti-intesa[.]com

Fake Intesa Sanpaolo site

Short URL

hxxps://tinyurl[.]com/Intesa-Carte

APK distribution link

GitHub Repository

hxxps://github[.]com/antoniocastaldo1998/app-scuola

APK hosting repository

File Hashes (SHA-256)

Filename

SHA-256

IntesaCarte[.]apk

f1f78e1ad582c9540205ba808836dcb967b7093190bf994632854269692aa2d2

NexiCarte[.]apk

6d29e6e5372cd0690e0df62eb6d98938e91191b0e639fed2476497baa8255405

KlirwayCarte[.]apk

7fb836c08ff527443b06d1c20afb6a4b0f51eb373013f211e0d3200bf26527b7

BancaSellaCarte[.]apk

090a30252991830596c75a945885ca3100d7a40edf4a16d78abd5bbfd90ba268

CaixaBank[.]apk

9fa08e172f73daa3ec8c2fb607b8500bdf915dbf09fcde5a46381e042266149e

CaixaBankNfc[.]apk

b0e288e8ac116bc1db13536dee2060f7ebdebc4524cba9147132ed633e028cee

Application IOCs

Type

Indicator

Package Name

Com[.]modol[.]nap

Namespace

Nfc[.]share[.]itnamteis

Class

CardInfoitmanteis

Enum

MqttChannel (CARD_INFO_CHANNEL, CARD_REMOVED, SEND_CHANNEL)

Obfuscation Key

NPStringFog key: “itnewpag”

TTPs (MITRE ATT&CK)

TTP

MITRE ID

Description

Phishing: Spearphishing via Service

T1566.003

Fake bank websites and SMS lures directing victims to malicious APKs

Masquerading

T1036

APKs named after legitimate bank apps (e.g., “Intesa Carte.apk”)

User Execution: Malicious File

T1204.002

Victims socially engineered into sideloading APKs from unknown sources

Exfiltration Over C2 Channel

T1041

Card data and PIN exfiltrated via WebSocket to C2

Obfuscated Files or Information

T1027

Malformed ZIP paths, NPStringFog string obfuscation, 10-DEX layout

Ingress Tool Transfer

T1105

APK payloads hosted on GitHub and delivered via shortened URLs

Input Capture

T1417

Fake WebView UI captures 4-digit PIN from victims

NFC/Payment Data Harvesting

T1430

IsoDep NFC reader used to extract EMV card data (card number, type, expiry)

The malware retains key internal markers: the nfc.share.itnamteis namespace, CardInfoitmanteis model, MqttChannel enum, and NFC reader code using android[.]nfc[.]tech[.]IsoDep to send an EMV PPSE select APDU and parse returned payment card data.

Mitigation Options

D3 Labs included the following potential mitigations:

For End Users / Banks

  • Block sideloading: Enforce policies preventing installation from unknown sources on corporate and BYOD devices.
  • User awareness: Train customers to recognize that legitimate banks never request app updates via SMS links or phone calls.
  • Warn users that attackers may use a social engineering layer via SMS or fake bank operator phone calls to guide victims through enabling unknown-source APK installation.

For Security Teams / Analysts

  • Detection via code markers: Focus detection on internal NFCShare code markers (package name, namespace, MqttChannel enum), the WebView/NFC behavior combination, and malformed APK ZIP structure rather than filename or C2 endpoint alone.
  • APK analysis tooling: Use the open-source tool apkInspector for APK parsing and artifact extraction, which is useful for identifying NFCShare family markers and DEX layout differences even in malformed samples.
  • GitHub monitoring: Monitor for public repositories hosting bank-themed APK files with suspicious commit patterns.
  • Treat failed APK extraction as a potential indicator rather than a benign signal, in this campaign, extraction failures are themselves useful indicators of the newer NFCShare packaging.
For Mobile Security / MDM
  • Block NFC reader permissions for sideloaded or unverified applications.
  • Implement behavioral detection for apps combining WebView UI with android[.]nfc[.]tech[.]IsoDep usage and WebSocket outbound connections.
  • Block known malicious domains at the DNS/proxy layer.

More Recent Blog Posts

Executive Summary On 02 July 2026, SOCRadar researchers linked the financially-motivated campaign dubbed “FortiBleed” to the Ransom and Lynx ransomware operations, marking the...

Executive Summary On 19 June 2026, the threat group Icarus claimed to have compromised and exfiltrated data from customers of Klue, specifically the...

Executive Summary A report published by The Hacker News on 17 June 2026 detailed a software supply chain attack impacting 144 npm packages...