A strand of Android malware called NFCShare is making the rounds disguised as legitimate banking app updates. The attack starts with a phishing website that looks like your bank’s official site — you’re told your app needs an update and are handed a link to a file hosted on GitHub. Once installed, the fake app tricks you into holding your payment card near your phone’s NFC chip under the pretense of a “security verification” step. In reality it quietly reads your card number, expiry date, and PIN, then sends all of it to the attackers.
NFCShare was first discovered in January 2026 and has since evolved to target customers of multiple banks, primarily in Europe. Because the malicious APK files are hosted on GitHub — a trusted developer platform — they can slip past basic URL-blocking filters. Real banks never send you a download link via text or email; any such message asking you to install an update outside the official app store should be treated as a scam.
How to check if you’re affected
Affected devices are Android phones where a banking app was recently installed or updated from a link in a text message, email, or website rather than through the Google Play Store. To check: open Settings → Apps, look at recently installed apps and compare them against what you downloaded from Google Play. If you find an app you don’t remember installing from the Play Store, uninstall it immediately, change your online banking password, and contact your bank to flag any suspicious card activity.