Executive Summary
In June 2026, D3 lab researchers reported on a new banking trojan. NFCShare is an Android banking trojan initially distributed as a malicious Android Package file (APK) through a phishing flow impersonating Deutsche Bank. The malware presents a fake card-verification interface, prompts the victim to place a payment card near the phone, collects the card PIN, and exfiltrates NFC-derived payment-card data to a WebSocket endpoint.
Since 14 May 2026, a newer wave of NFCShare APKs has been observed impersonating Italian and European banking brands, originating from a phishing website (areaclienti-intesa[.]com) mimicking Intesa Sanpaolo. The evolution is in campaign operations and analysis resistance: the actor is rotating brands, rebuilding APKs frequently, using URL shorteners, hosting payloads in a public GitHub repository disguised as a school project, and shipping APKs with malformed ZIP paths that can break automated extractors.
Key Takeaways
- The core NFC and exfiltration logic remains largely unchanged. The relevant evolution is operational and anti-analysis oriented: more frequent APK rebuilds, brand rotation, a new C2 endpoint, a 10-DEX layout, and malformed ZIP paths designed to break naive APK extractors.
- The GitHub repository used for hosting is named “app-scuola” (roughly “school app”), with a decoy README. As of 5 June 2026, the repository contains 57 commits starting 10 April 2026, with the vast majority using the commit message “Aggiornato tutto” (“Updated everything”).
- Victims may also receive an SMS or phone call from a fake bank operator who guides them through the process, including enabling Android installation from unknown sources in order to sideload the APK.
- The most important technical evolution is the packaging: newer APKs contain malformed ZIP entries such as paths rooted under /AndroidManifest.xml/, /classes.dex/, and /resources.arsc/. Simple extraction tools may try to write those entries as absolute paths, causing extraction failures.
- For defenders, the most resilient detection opportunities are not the APK filename or the C2 endpoint, but the internal NFCShare code markers, the WebView/NFC behavior combination, and the malformed APK structure introduced in the newer builds.
Indicators of Compromise (IOCs)
Network IOCs
Type |
Indicator |
Context |
C2 WebSocket |
ws://38[.]47[.]213[.]197:7068/ |
Earlier NFCShare infrastructure |
C2 WebSocket |
ws://nfck[.]loseyourip[.]com:8001/ |
Recent campaign infrastructure |
Phishing Domain |
areaclienti-intesa[.]com |
Fake Intesa Sanpaolo site |
Short URL |
hxxps://tinyurl[.]com/Intesa-Carte |
APK distribution link |
GitHub Repository |
hxxps://github[.]com/antoniocastaldo1998/app-scuola |
APK hosting repository |
File Hashes (SHA-256)
Filename |
SHA-256 |
IntesaCarte[.]apk |
f1f78e1ad582c9540205ba808836dcb967b7093190bf994632854269692aa2d2 |
NexiCarte[.]apk |
6d29e6e5372cd0690e0df62eb6d98938e91191b0e639fed2476497baa8255405 |
KlirwayCarte[.]apk |
7fb836c08ff527443b06d1c20afb6a4b0f51eb373013f211e0d3200bf26527b7 |
BancaSellaCarte[.]apk |
090a30252991830596c75a945885ca3100d7a40edf4a16d78abd5bbfd90ba268 |
CaixaBank[.]apk |
9fa08e172f73daa3ec8c2fb607b8500bdf915dbf09fcde5a46381e042266149e |
CaixaBankNfc[.]apk |
b0e288e8ac116bc1db13536dee2060f7ebdebc4524cba9147132ed633e028cee |
Application IOCs
Type |
Indicator |
Package Name |
Com[.]modol[.]nap |
Namespace |
Nfc[.]share[.]itnamteis |
Class |
CardInfoitmanteis |
Enum |
MqttChannel (CARD_INFO_CHANNEL, CARD_REMOVED, SEND_CHANNEL) |
Obfuscation Key |
NPStringFog key: “itnewpag” |
TTPs (MITRE ATT&CK)
TTP |
MITRE ID |
Description |
Phishing: Spearphishing via Service |
Fake bank websites and SMS lures directing victims to malicious APKs |
|
Masquerading |
APKs named after legitimate bank apps (e.g., “Intesa Carte.apk”) |
|
User Execution: Malicious File |
Victims socially engineered into sideloading APKs from unknown sources |
|
Exfiltration Over C2 Channel |
Card data and PIN exfiltrated via WebSocket to C2 |
|
Obfuscated Files or Information |
Malformed ZIP paths, NPStringFog string obfuscation, 10-DEX layout |
|
Ingress Tool Transfer |
APK payloads hosted on GitHub and delivered via shortened URLs |
|
Input Capture |
Fake WebView UI captures 4-digit PIN from victims |
|
NFC/Payment Data Harvesting |
IsoDep NFC reader used to extract EMV card data (card number, type, expiry) |
The malware retains key internal markers: the nfc.share.itnamteis namespace, CardInfoitmanteis model, MqttChannel enum, and NFC reader code using android[.]nfc[.]tech[.]IsoDep to send an EMV PPSE select APDU and parse returned payment card data.
Mitigation Options
D3 Labs included the following potential mitigations:
For End Users / Banks
- Block sideloading: Enforce policies preventing installation from unknown sources on corporate and BYOD devices.
- User awareness: Train customers to recognize that legitimate banks never request app updates via SMS links or phone calls.
- Warn users that attackers may use a social engineering layer via SMS or fake bank operator phone calls to guide victims through enabling unknown-source APK installation.
For Security Teams / Analysts
- Detection via code markers: Focus detection on internal NFCShare code markers (package name, namespace, MqttChannel enum), the WebView/NFC behavior combination, and malformed APK ZIP structure rather than filename or C2 endpoint alone.
- APK analysis tooling: Use the open-source tool apkInspector for APK parsing and artifact extraction, which is useful for identifying NFCShare family markers and DEX layout differences even in malformed samples.
- GitHub monitoring: Monitor for public repositories hosting bank-themed APK files with suspicious commit patterns.
- Treat failed APK extraction as a potential indicator rather than a benign signal, in this campaign, extraction failures are themselves useful indicators of the newer NFCShare packaging.
For Mobile Security / MDM
- Block NFC reader permissions for sideloaded or unverified applications.
- Implement behavioral detection for apps combining WebView UI with android[.]nfc[.]tech[.]IsoDep usage and WebSocket outbound connections.
- Block known malicious domains at the DNS/proxy layer.