GoKawiilNew variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.
The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.
After tricking victims with a fake verification screen to place the cards near the mobile device's near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.
The malware steals the card number, type, expiry date, and a 4-digit PIN entered by the victim under the pretense of a security step, and exfiltrates it to the attacker’s command-and-control (C2) host over a WebSocket channel.
The information collected this way can then be used in NFC payment relay schemes, as documented in the NGate, SuperCard X, and RelayNFC malware attacks.
NFCShare's social engineering screens
Source: D3Lab
NFCShare was first documented by D3Lab researchers in January 2026, who have been tracking its activity and evolution.
D3Lab researcher Andrea Draghetti told BleepingComputer that, despite similarities to other Android malware that exploit NFC chips for data theft, NFCShare uses distinct code, libraries, architecture, and implementation details.
Draghetti noted, though, that it could still be an evolution of the same ecosystem, driven by the same threat actors.
... continue reading