```
New variants of an Android malware family known as NFCShare are spreading through counterfeit updates for popular banking applications, with threat actors using GitHub as their primary distribution platform, according to a BleepingComputer report published on 9 June.
The campaign targets users of legitimate banking apps by presenting malicious packages as official software updates. By hosting the payloads on GitHub — a platform widely trusted by developers and technically inclined users — the operators behind NFCShare exploit the credibility of the open-source repository to lower victims' guard and circumvent organisational security policies that typically permit GitHub traffic.
How the Attack Works
The malware is packaged to closely resemble authentic banking application updates. Unsuspecting users who download and install these fake updates unknowingly grant the malware access to their devices, where it can operate with the permissions of the legitimate banking app it impersonates.
The malware's name suggests NFC functionality, though full technical confirmation is pending and a detailed analysis of its capabilities has not yet been published by researchers. Should it incorporate Near Field Communication relay capabilities — a technique that has become increasingly common in mobile financial fraud — it could potentially intercept or relay contactless payment data in real time.
According to BleepingComputer, the campaign impersonates a range of banking applications, including Garanti BBVA, İş Bankası, Yapı Kredi, Ziraat Bankası, Akbank, QNB Finansbank, and Papara — all widely used financial services in Turkey. The fake update pages are hosted on GitHub repositories designed to mimic legitimate download sources, with distribution also reportedly occurring through Telegram channels.
NFC-based attacks on Android devices have grown more sophisticated in recent years. Security researchers have documented criminal groups relaying NFC traffic between a victim's phone and a point-of-sale terminal, enabling fraudulent contactless transactions even when the physical card is not present. If NFCShare employs similar techniques, the risk to banking customers could extend well beyond credential theft into direct financial exploitation through contactless payment abuse.
Why GitHub Matters as a Distribution Channel
The choice of GitHub as a hosting platform is significant. Unlike typical malware distribution through phishing sites or unofficial app stores, GitHub carries an inherent reputation for legitimacy. Security teams in many organisations permit GitHub traffic on corporate networks, and individual users are less likely to question downloads originating from the platform. This approach reflects a broader trend of supply-chain-adjacent attacks in which trusted infrastructure is co-opted to deliver malicious payloads.
For developers and IT administrators who routinely pull dependencies or binaries from public repositories, the campaign highlights the importance of verifying file integrity through checksums and sourcing updates exclusively from official application stores or vendor websites. Organisations may also wish to review whether their security policies adequately scrutinise downloads from code hosting platforms.
Broader Threat Landscape
The NFCShare campaign joins a growing roster of Android-focused malware operations that combine social engineering with trusted-platform distribution to steal financial data. Banking trojans targeting mobile platforms have consistently ranked among the most active threat categories globally, driven by the increasing volume of financial transactions conducted on smartphones.
Specific indicators of compromise — including file hashes, package identifiers, and command-and-control server addresses — have not been disclosed by researchers at the time of publication. The full scope of targeted institutions beyond the banking apps identified above also remains unclear, and affected users are advised to update their banking applications exclusively through official app stores.
For IT security professionals, the discovery reinforces a straightforward lesson: trusted platforms such as GitHub can be weaponised to deliver malicious payloads, and mobile users — particularly those managing financial accounts on their devices — must verify the provenance of every update before installation.
根據 BleepingComputer 於 6 月 9 日發佈的一份報告,一個名為 NFCShare 的 Android 惡意軟件家族的新變種,正透過針對熱門銀行應用程式的仿冒更新進行傳播,而威脅行為者主要使用 GitHub 作為其傳播平台。
此活動針對合法銀行應用程式的用戶,將惡意套件包裝成官方軟件更新。透過將 payload 託管在 GitHub 上——一個被開發者及技術熟練用戶廣泛信任的平台——NFCShare 背後的運作者利用了這個開源儲存庫的可信度,以降低受害者的戒心,並規避通常允許 GitHub 流量的企業安全策略。
攻擊如何運作
此惡意軟件的包裝被設計得與真實的銀行應用程式更新極為相似。毫不知情的用戶下載並安裝這些虛假更新後,會在不知情的情況下授予惡意軟件存取其裝置的權限,使其可以它所冒充的合法銀行應用程式的權限運作。
該惡意軟件的名稱暗示了 NFC 功能,儘管完整的技術確認尚待進行,且研究人員尚未公佈其功能的詳細分析。如果它整合了近場通訊中繼功能——這是一種在流動金融欺詐中日益常見的技術——它可能潛在地即時攔截或中繼非接觸式支付數據。
據 BleepingComputer 報道,此活動冒充了一系列銀行應用程式,包括 Garanti BBVA、İş Bankası、Yapı Kredi、Ziraat Bankası、Akbank、QNB Finansbank 和 Papara——這些都是土耳其廣泛使用的金融服務。虛假的更新頁面被託管在旨在模仿合法下載來源的 GitHub 儲存庫上,據報告傳播也透過 Telegram 頻道進行。
近年來,針對 Android 裝置的 NFC 攻擊已變得更加複雜。安全研究人員已記錄了犯罪團伙在受害者的手機與銷售點終端之間中繼 NFC 流量,從而進行欺詐性的非接觸式交易,即使實體卡片並不在場。如果 NFCShare 採用類似的技術,對銀行客戶的風險可能不僅限於憑證盜竊,還會擴展到透過濫用非接觸式支付進行直接的金融詐騙。
為何 GitHub 作為傳播渠道至關重要
選擇 GitHub 作為託管平台意義重大。與典型的透過網絡釣魚網站或非官方應用商店傳播的惡意軟件不同,GitHub 擁有內在的合法性信譽。許多組織的安全團隊在企業網絡上允許 GitHub 流量,而個人用戶也較不可能質疑源自該平台的下載內容。這種方法反映了一種更廣泛的趨勢,即供應鏈鄰近攻擊,在此類攻擊中,受信任的基礎設施被挪用來傳送惡意 payload。
對於經常從公共儲存庫拉取相依項目或二進位檔案的開發者和 IT 管理員來說,此活動突顯了透過 checksum 驗證檔案完整性,以及僅從官方應用商店或供應商網站取得更新的重要性。組織可能還希望審查其安全策略是否足以審查來自程式碼託管平台的下載內容。
更廣泛的威脅格局
NFCShare 活動加入了日益增長的、針對 Android 的惡意軟件行動行列,這些行動結合了社交工程與受信任平台的傳播來竊取金融數據。針對流動平台的銀行木馬在全球最活躍的威脅類別中一直位居前列,這是由在智能手機上進行的金融交易量不斷增加所推動的。
具體的入侵指標——包括檔案雜湊值、套件識別碼和命令與控制伺服器地址——在發稿時尚未被研究人員披露。除上述已識別的銀行應用程式外,被針對的機構的全部範圍仍不清楚,受影響的用戶被建議僅透過官方應用商店更新其銀行應用程式。
對於 IT 安全專業人士來說,此發現強化了一個直接的教訓:像 GitHub 這樣的受信任平台可以被武器化以傳送惡意 payload,而流動用戶——特別是那些在其裝置上管理金融賬戶的用戶——必須在安裝前驗證每個更新的來源。