Risk of card data theft: NFCShare malware spreads via fake banking updates on GitHub

A dangerous phishing campaign is currently targeting Android operating system users in Europe. Threat actors are exploiting the GitHub platform to distribute fake updates of reputable banking applications, embedding a malware strain named NFCShare to steal victims' assets.

How threat actors lure victims into the trap

This attack campaign reportedly began surging on May 14. The phishing scenario unfolds through sophisticated steps designed to psychologically manipulate users:

• Step 1: Attackers lure users to a phishing website that perfectly mimics a legitimate bank's interface, requesting them to provide login credentials.

• Step 2: Once the credentials are harvested, the system displays a notification requiring the victim to update their banking app.

• Step 3: The user is redirected to a repository on the GitHub platform to download an installation file (APK) containing the malware.

According to researchers, this GitHub repository was set up on April 10. To date, it contains 56 standalone APK files masquerading as mobile applications of several major financial institutions, primarily focusing on Italy, Spain, and Germany (with the case in Germany recorded back in January).

Furthermore, experts from D3Lab noted that although not directly observed in this specific campaign, threat actors could easily combine other social engineering tactics, such as sending SMS messages or making phone calls posing as bank staff, to pressure victims into installing the app.

How NFCShare malware exfiltrates bank card data

The core objective of the new NFCShare variants is to harvest customers' payment card details. Once successfully installed on the device, the malware executes the theft through the following mechanism:

• The malware displays a fake verification screen, prompting the user to place their bank card near the phone's Near Field Communication (NFC) chip.

• Once the user complies, NFCShare leverages Android's IsoDep interface along with EMV commands to read data directly from the card.

• Sensitive data, including card number, card type, expiration date, and even the 4-digit PIN (manually entered by the victim who believes it to be a secure authentication step), is completely harvested.

• All this information is swiftly exfiltrated to the cybercriminals' Command and Control (C2) server via a WebSocket communication channel.

This leaked data can subsequently be exploited by threat actors for NFC payment relay fraud, similar to the methods previously observed in campaigns utilizing malware strains such as NGate, SuperCard X, or RelayNFC.

Sophisticated evasion techniques to bypass security scanners

A notable feature in this version of NFCShare is the intentional application of a malformed APK packaging technique. Essentially, an APK file is still a ZIP archive format. However, the malware developer deliberately created malformed file paths within the archive.

This trick causes certain automated extraction tools to misinterpret internal relative paths as system paths and trigger errors. Researchers at D3Lab noted that while this measure cannot stop malware analysts from performing manual analysis or recovering the source code, it is highly effective at disrupting and bypassing the automated static analysis scans of several security tools.

To avoid falling victim to the NFCShare malware, Android users must heighten their vigilance and adhere to the following safety principles:

• Only search for and download banking applications from the official Google Play Store.

• Always enable the Play Protect security feature on mobile devices.

• Be extremely cautious of any prompt requesting a card scan via NFC features appearing on the screen under the guise of "account verification."