New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.

The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.

After tricking victims with a fake verification screen to place the cards near the mobile device’s near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.