{
  "name": "NFCShare Android Trojan: NFC card data theft via malicious APK",
  "slug": "nfcshare-android-trojan-nfc-card-data-theft-via-malicious-apk",
  "description": "A new Android trojan, named NFCShare, has been discovered targeting Deutsche Bank customers through a phishing campaign. The malware, disguised as a banking app update, prompts users to perform a fake card verification process. It exploits NFC technology to steal card data and PINs, which are then exfiltrated to a remote WebSocket endpoint. The trojan's distribution, user flow, and technical analysis are detailed, including its NFC reading capabilities and string obfuscation techniques. The malware shows links to Chinese-linked tooling and similarities to other NFC-based threats. IOCs include hashes, package details, and network indicators.",
  "published": "2026-01-30T07:18:00+00:00",
  "created_at": "2026-01-30T07:18:00+00:00",
  "modified_at": "2026-01-30T07:51:58+00:00",
  "created_at_opencti": "2026-01-30T07:18:00+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-30",
    "android",
    "banking",
    "card theft",
    "data exfiltration",
    "nfc",
    "nfcshare",
    "phishing",
    "trojan",
    "websocket"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "38.47.213.197"
      },
      {
        "id": "",
        "name": "afbe6751d339fbc5b7bddd29429a11740e82fef935a61acaf2fe5487444dbed4"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:b9783eea28144708",
        "name": "NFCShare",
        "slug": "nfcshare"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Italy"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "portale-deut.com"
      }
    ]
  },
  "external_refs": [
    "https://www.d3lab.net/nfcshare-android-trojan-nfc-card-data-theft-via-malicious-apk/",
    "https://otx.alienvault.com/pulse/697c693880e53e3f443b484c"
  ]
}