NFCShare Android Malware: Detecting Fake Banking App Updates on GitHub

Security analysts have identified a sophisticated distribution campaign targeting Android users, specifically those seeking updates for legitimate banking applications. The threat actor behind the NFCShare malware has weaponized GitHub repositories to host fraudulent updates. By impersonating trusted banking applications, attackers lure victims into side-loading malicious APKs. This campaign bypasses the security controls of the Google Play Store, directly compromising endpoint integrity and exposing sensitive financial data to NFC interception and exfiltration. Defenders must treat this as an active supply-chain threat and implement immediate detection mechanisms for unofficial app sources.

Technical Analysis

Affected Platform: Android OS (all versions supporting side-loading).

Threat Vector: Social Engineering / Supply Chain Compromise (Trust Exploitation).

Attack Chain:

Lure: Attackers create GitHub repositories mimicking legitimate banking apps or posting "update" notices for popular financial software.
Delivery: Victims download the APK file directly from the GitHub repository (often from raw.githubusercontent.com).
Execution: User grants "Install Unknown Apps" permission to the browser or file manager, triggering the APK installation.
Payload: The NFCShare malware deploys. Its primary functionality involves abusing Android's Near Field Communication (NFC) hardware to intercept data (e.g., credit card info) or emulate tags, combined with standard overlay attacks to harvest banking credentials.

Exploitation Status: Active. GitHub repositories are currently hosting these malicious files, making this a live threat to organizations allowing BYOD or managing mobile fleets without strict application whitelisting.

Detection & Response

SIGMA Rules

YAML

---
title: Potential NFCShare - APK Download from GitHub
id: 4a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Android devices downloading APK files directly from GitHub, a known TTP for NFCShare distribution.
references:
  - https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.initial_access
  - attack.t1189
logsource:
  product: android
  category: network_connection
detection:
  selection:
    DestinationHostname|contains:
      - 'github.com'
      - 'raw.githubusercontent.com'
    RequestURL|endswith:
      - '.apk'
  condition: selection
falsepositives:
  - Developers installing their own test builds
level: high
---
title: NFCShare - Sideloading App with NFC Permission
id: 5b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects installation of Android packages requesting NFC permissions from an unverified source (sideload).
references:
  - https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.execution
  - attack.t1204
logsource:
  product: android
  category: package_installation
detection:
  selection_source:
    InstallerPackageName|endswith:
      - 'com.android.packageinstaller'
  selection_perm:
    Permissions|contains: 'android.permission.NFC'
  filter_legit_store:
    InstallerPackageName:
      - 'com.android.vending'
  condition: selection_source and selection_perm and not filter_legit_store
falsepositives:
  - Legitimate corporate sideloading of internal NFC tools
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Android devices downloading APKs from GitHub
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has "github.com" 
| where RemoteUrl has ".apk"
| project Timestamp, DeviceId, DeviceName, RemoteUrl, InitiatingProcessFileName, LocalIP, RemoteIP
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp >= ago(1h) // Correlate with recent activity
    | where ProcessVersionInfoInternalFileName =~ "packageinstaller" or InitiatingProcessCommandLine contains "install"
) on DeviceId
| summarize count() by DeviceId, DeviceName, RemoteUrl

Velociraptor VQL

VQL — Velociraptor

-- Hunt for recently downloaded APK files in user directories
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*/Download/*.apk")
WHERE Mtime > now() - 7d
-- Identify APKs with NFC permissions using dumpsys (requires root/ADB shell wrapper)
-- Note: This VQL assumes an Android collection with shell access
SELECT *,
  exec_shell("dumpsys package " + FullPath + " | grep 'android.permission.NFC'") AS NFC_Perm_Check
FROM glob(globs="/data/app/*.apk")
WHERE NFC_Perm_Check =~ 'android.permission.NFC'

Remediation Script

Bash / Shell

#!/bin/bash
# Remediation script to disable Unknown Sources and identify recent installs
# Requires ADB (Android Debug Bridge) configured on the workstation

echo "[+] Checking for ADB devices..."
DEVICES=$(adb devices | grep -v "List" | awk '{print $1}')

if [ -z "$DEVICES" ]; then
    echo "[-] No devices found. Please ensure ADB is connected."
    exit 1
fi

for DEVICE in $DEVICES; do
    echo "[+] Processing Device: $DEVICE"
    
    # List 3rd party packages installed in the last 7 days (heuristic)
    echo "[+] Listing recent 3rd party packages..."
    adb -s $DEVICE shell pm list packages -3 -f --show-versioncode | while read line; do
        pkg_path=$(echo $line | cut -d= -f1)
        pkg_name=$(echo $line | cut -d= -f2)
        # Check for dangerous permissions (NFC, SMS, Overlay)
        perms=$(adb -s $DEVICE shell dumpsys package $pkg_name | grep "requested permissions:" -A 20 | grep -E "android.permission.NFC|SYSTEM_ALERT_WINDOW")
        if [ ! -z "$perms" ]; then
            echo "[!] Suspicious Package Found: $pkg_name"
            echo "    Path: $pkg_path"
            echo "    Permissions: $perms"
        fi
    done
    
    # Revoke Install Unknown Apps permission for all non-system apps
    echo "[+] Revoking 'Install Unknown Apps' permission..."
    # This is a generic command; specific packages depend on the Android version used to install
    adb -s $DEVICE shell pm revoke com.android.shell android.permission.REQUEST_INSTALL_PACKAGES 2>/dev/null
    
    echo "[+] Warning user via Toast..."
    adb -s $DEVICE shell "am start -a android.intent.action.MAIN -n com.android.settings/.SecuritySettings && sleep 2 && input tap 500 500" 
    
    echo "[+] Remediations applied to $DEVICE."
done

echo "[.] Remediation complete. Manual review of 'Settings > Security > Install Unknown Apps' recommended."

Remediation

Block GitHub at the Proxy: For corporate mobile devices (BYOD or COPE), implement web proxy filtering policies to block access to raw.githubusercontent.com and github.com unless the user role explicitly requires development access.
Enforce "Install Unknown Apps" Policy: Use your Mobile Device Management (MDM) solution (e.g., Microsoft Intune, VMware Workspace ONE) to explicitly disable the "Allow installation from unknown sources" setting for all managed devices.
Application Whitelisting: Enforce an allow-list policy for application stores. Only the Google Play Store (and your internal enterprise app store) should be permitted to install applications.
User Education: Immediately notify users that legitimate banking applications never distribute updates via GitHub links or require manual APK downloads. Instruct users to uninstall any banking app installed outside the official Play Store and report it to the security team.
Google Play Protect: Ensure Google Play Protect is enabled on all fleet devices. While not bulletproof, it provides a baseline of detection for known NFCShare variants.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub