NFCShare Resurfaces: GitHub Repos Hosting Fake Banking App Updates
Just caught the BleepingComputer report on the new NFCShare campaign, and it’s a slick evolution of their social engineering. Instead of just SMS phishing, they are now abusing GitHub repositories to host 'updates' for legitimate banking apps. It’s a classic supply-chain style attack but targeting the end-user directly via a trusted developer platform.
From a technical standpoint, the malware leverages Android's Accessibility Services to capture credentials and overlays fake login screens on top of legitimate apps. Since it’s distributed via GitHub, it bypasses some traditional checks because the domain reputation is high.
If you're analyzing APKs for this, look for these suspicious permission requests in the AndroidManifest.xml:
For automated detection, you can script a hash check against known malicious IOCs. Here is a quick Python snippet to calculate the SHA256 of a sideloaded APK:
import hashlib
def get_apk_hash(filepath):
sha256_hash = hashlib.sha256()
with open(filepath, "rb") as f:
for byte_block in iter(lambda: f.read(4096), b""):
sha256_hash.update(byte_block)
return sha256_hash.hexdigest()
I'm curious how everyone is handling 'Unknown Sources' policies in their BYOD environments. Are you strictly blocking side-loading, or do you have a mobile threat defense solution that catches this specific GitHub traffic pattern?
Solid catch on the permissions. We started seeing hits on raw.githubusercontent.com from our mobile fleet last week. We're using Microsoft Defender for Endpoint (MDE) on mobile, which flagged the connection, but it was noisy.
For SOC teams, I recommend filtering your proxy logs for User-Agents typical of Android DownloadManager hitting GitHub content. This KQL query helped us filter out the noise:
DeviceNetworkEvents
| where RemoteUrl contains "githubusercontent.com"
| where InitiatingProcessFileName == "com.android.providers.downloads"
It turned up a few devices trying to pull APKs outside of the Play Store.
The abuse of GitHub is the real kicker here. It appeals to the 'techie' side of users who think they are getting a beta or a modded version of a banking app.
From a pentester perspective, the overlay attack is nothing new, but the distribution method lowers the barrier to entry for the victim. I've been advising clients to enforce 'Google Play Protect' strictly and disable installation permissions via ADB for non-developers. If you aren't restricting Unknown Sources via MDM, this is your wake-up call.
We actually had a client get hit by a variant of this last month. The user was a crypto-trader looking for a 'pro' version of a wallet app hosted on GitHub.
The scary part was the persistence. It hid the icon after installation. Make sure to include icon checks in your forensic scripts. You can list packages without launchers using:
adb shell pm list packages -f | grep -v 'launcher'
Blocking GitHub entirely isn't feasible for dev shops, but maybe we need to start categorizing specific GitHub paths as 'High Risk' in our web filters.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access