2026-01-07 Ghost Tapped Tracking the Rise of Chinese Tap-to-pay Android Malware| Threat Intelligence Malaysia

📃Title: Ghost Tapped: Tracking the Rise of Chinese Tap-to-pay Android Malware
📅Date: 2026-01-07
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant
topic: mobile-attack

🔖MISP Galaxies:

producer Group-IB
financial-fraud=“Fake App”
financial-fraud=“Vishing”
financial-fraud=“Smishing”
financial-fraud=“Phishing”
financial-fraud=“Money Mules”
financial-fraud=“CNP – Card Not Present”
financial-fraud=“Malware”
financial-fraud=“Compromised Payment Cards”
target-information=“Greece”
target-information=“Indonesia”
target-information=“Jordan”
target-information=“Malaysia”
target-information=“Turkey”
target-information=“Uzbekistan”
country=“china”
country=“malaysia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[]

MISP event uuid: 284a5040-9bea-495a-9465-2080e97f08df

Indicator of Compromise (IoCs)

type,value,comment
sha256, 30cc52d1e1e3c544e186d2166f870cedb1e3f9472f6d7aad0fea0cf2d7040347, 'No sample in VT\r\nLast check:26/01/2026'
sha1, cabbb00f66713caf38412fb330e75456a68d0d8c, 'No sample in VT\r\nLast check:26/01/2026'
md5, 1824d0a6a37fb08d35f2463cc413adac, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 04eed57320f2d1ff8924cd62a211f63895d8b5d53ae0b38502197335207e26a6, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 5e69f16d7b3015cf50b81d3985b524e2472a92d9, 'No sample in VT\r\nLast check:26/01/2026'
md5, f390b92a5162d0576606acb966375dd1, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 9c2ab621533f49dd833acf1df253371ceb5b533cfc7e6f44667c2a8641e86ce6, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 291e10b261ff36962b3cf6e9ffeba4830dc558df, 'No sample in VT\r\nLast check:26/01/2026'
md5, 8fec4fd0542d43db5ef44e220863f4e1, 'No sample in VT\r\nLast check:26/01/2026'
sha256, dbb178a385680a20afc59048b396d30e745e5bac1ff1163d0a3c713c06fc89ea, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 17bd829ca6901e8bc228f5020aefac2f89d64e8f, 'No sample in VT\r\nLast check:26/01/2026'
md5, 65a7a66871619313853102fe42f8ea29, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 7eab00634a6b9f1866f2e74987d7f619215a45e34a421e7746e3c49ee148874e, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 725996ab655389bcd6b37d5f86b17859b4167f18, 'No sample in VT\r\nLast check:26/01/2026'
md5, 96345d5bd63db21739db999d6f3dd28a, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 75aa5849eea643aad1f9a485dbf9898511395ab19bde6214002fac5447be8277, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 40b94a2f7aaa7bd0299df832d1aae45d5a262bbd, 'No sample in VT\r\nLast check:26/01/2026'
md5, 2f59040e763a1556259a1929759bd695, 'No sample in VT\r\nLast check:26/01/2026'
sha256, c536c337a2a6eefb82e0459ea207dbc5fc584826294be5f2e6020fa54451166e, 'No sample in VT\r\nLast check:26/01/2026'
sha1, a3b66875129c9602c5b0764e67fbfb4e1d83b3f8, 'No sample in VT\r\nLast check:26/01/2026'
md5, 921cc0aeccfc1a6de065055d21b6b8a7, 'No sample in VT\r\nLast check:26/01/2026'
sha256, b9123df13d9862a618dd3007b1eedc558dd68ccf983025fcad21bf536c8d30ba, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 6a5d16ed45c7d82d2370deb79e2a622d7bfa5810, 'No sample in VT\r\nLast check:26/01/2026'
md5, e1a3d35d298f75a6be3433d8237d9219, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 943cc42b546e35b7a9f3c72c55e5cc0a8ea4593877d7aabc2f461595d43d6728, 'No sample in VT\r\nLast check:26/01/2026'
sha1, e8075eff6efc16cf12b8b4d4334a2c7c83003e28, 'No sample in VT\r\nLast check:26/01/2026'
md5, 4e57c1e8f07a2187224f00abf7b8fce0, 'No sample in VT\r\nLast check:26/01/2026'
sha256, d9ead920368b2f7a1c60e104ba0314fe5c8691da2525e5d776587df138558aeb, 'No sample in VT\r\nLast check:26/01/2026'
sha1, d562058c5e0fdbac9daecbc1df72daa34dcbb271, 'No sample in VT\r\nLast check:26/01/2026'
md5, 58244d7a24eb067628460a69d978e64f, 'No sample in VT\r\nLast check:26/01/2026'
sha256, d8c35d8491c858d171175d2d478806c1a53478316e85b8f814e79e502b3015dd, 'No sample in VT\r\nLast check:26/01/2026'
sha1, c26641321b6488de852ec26996fd067a97798ea1, 'No sample in VT\r\nLast check:26/01/2026'
md5, bbaf80ab7933ad19e55442e3ae8173dd, 'No sample in VT\r\nLast check:26/01/2026'
sha256, c0814d74914ba22ccf3e1d268cf3e24e8f496cac38497b08756573f979494de0, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 7452cec6b191fc6597c33aede946e2c3327319b1, 'No sample in VT\r\nLast check:26/01/2026'
md5, 3dd93ca08bfa1bc25f0e5c66cd8cd4bc, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 365af25a835580b170239e630edd3ab014269d35cd738d94a6fbfdafb931b491, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 66f2f6ce0535f51a2b19acd2933c9a3f67608ea8, 'No sample in VT\r\nLast check:26/01/2026'
md5, 35dd14589f7b11ece671377f1c5836d6, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 2883604a5d6b5664ee314437ffd57145826668cb81db0641b1f3917ac1d55d1e, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 539f3c45556c4c06080f112c772b965ccc09a175, 'No sample in VT\r\nLast check:26/01/2026'
md5, 2d91d95476d7392bdcbd4cf3b520b46c, 'No sample in VT\r\nLast check:26/01/2026'
sha256, d88f10e2ac0d73f9bb0d6fa5acc6c85c34459ab76c7a1b78dc22d00ad4547c2f, 'No sample in VT\r\nLast check:26/01/2026'
sha1, c7454940a07b0beab94138fd2a3c8bb50134bcab, 'No sample in VT\r\nLast check:26/01/2026'
md5, 4f6fd902f7bfbf242bd9ed73dcc0c400, 'No sample in VT\r\nLast check:26/01/2026'
sha256, a04ce09802ba6e45d26179dbd3d2d114af7c8d19110b43dd06f49b563e3829d9, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 58fe37d630e5b471edc77a6d74d35c9c5185280d, 'No sample in VT\r\nLast check:26/01/2026'
md5, e8f512d7893b00dca9fa8577435a2da5, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 2ff79fa1317a04f52d16b09dd8ca9a863cf176bf11410721a8592e1ebff598cf, 'No sample in VT\r\nLast check:26/01/2026'
sha1, e21352b054b4b50a844db4dffcb6290b13a5c9ce, 'No sample in VT\r\nLast check:26/01/2026'
md5, 2c824e96e434646aa383afddc11f0562, 'No sample in VT\r\nLast check:26/01/2026'
sha256, e44a30abf87f1b4403a7342c1447232d547bcf941ca001623802cd0d14f4d576, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 83d013d40de7411495e6cffbd54f341461cf5e06, 'No sample in VT\r\nLast check:26/01/2026'
md5, 58fedd5ade8b7c1417c2bfb2aa0815df, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 9624fad943b1fc73d25c583f9bd9985d15e62cfe4a3db150f4f24b0cf48e52f1, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 6da3b5be62bee006ce6476ecb173f297f5a3e045, 'No sample in VT\r\nLast check:26/01/2026'
md5, 12b7c73ede31313bf7459867a1f292aa, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 966007f0de4be060426050a2176561ee299e2f9bf6e718c3de8ce27e14943783, 'No sample in VT\r\nLast check:26/01/2026'
sha1, c7d487bd0fcb4282e0ceb51ccf58d4dac9163dbf, 'No sample in VT\r\nLast check:26/01/2026'
md5, a4c529428b2a83a0a2ce95b04787d191, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 9e5031688b1b0ee32ddb851e64c33bab6142cab51b27230e5bcf633467d90b10, 'No sample in VT\r\nLast check:26/01/2026'
sha1, fea12fa7ed1b0889f473835109be9685055bd183, 'No sample in VT\r\nLast check:26/01/2026'
md5, 5e43e0750854baea6dcc22d7ba546435, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 3888e1394a803dc5ecdc3717298cee5037bcab98888538f2d051b90d7237e89e, 'No sample in VT\r\nLast check:26/01/2026'
sha1, e050dec14c6f7e7b203f8271a549a2daa5813520, 'No sample in VT\r\nLast check:26/01/2026'
md5, da22525907c121d585a2c65a2d78524d, 'No sample in VT\r\nLast check:26/01/2026'
sha256, abecec0988075e28dfb2fb14aa8ccd721935d0e3371f6ddaf9ab2407d927153f, 'No sample in VT\r\nLast check:26/01/2026'
sha1, f8d9056c399aeccbd354e6f0a3b2eb3950c13c89, 'No sample in VT\r\nLast check:26/01/2026'
md5, e2ae7548c6053d308357d73da4299757, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 4495b3fd162b5df16921f1114f4d85f38dd7ba4644a19d681c40fefebb597efb, 'No sample in VT\r\nLast check:26/01/2026'
sha1, e7fd43143fba664ff079c129bd9da7a62ca173e7, 'No sample in VT\r\nLast check:26/01/2026'
md5, 3a22cf5cebbfe2094fed3b01c91f518f, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 9a9631ab469600514fd0bd30fe34a6daf90ca58bcf5bde5a872218422aeea7c6, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 35acd14621e34e179f3d88dc3eae83e544a49942, 'No sample in VT\r\nLast check:26/01/2026'
md5, f771774e06676209a2546e6967d3cba2, 'No sample in VT\r\nLast check:26/01/2026'
sha256, b5e7b5c93500051787a9f3ee43ba47404ee762ef2477de7db4c74204278d2e05, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 7e9bea5a8251e9b45ff5590161829a2a85e89851, 'No sample in VT\r\nLast check:26/01/2026'
md5, 142818af6913b5bdb9bff3079b54ef86, 'No sample in VT\r\nLast check:26/01/2026'
sha256, fc2c8cd05ef53d21b1c64dd9f9b826e996a2a2931b5d1f7a00d210a40d48deac, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 78d1380ef34e93ea0e3d8d9355c8cad90fc01aa0, 'No sample in VT\r\nLast check:26/01/2026'
md5, 5f11bb9e5e2be2a1c8243777a192c95f, 'No sample in VT\r\nLast check:26/01/2026'
sha256, c1a6a6e6b80b5bcdd71ba3a9abbac789a32aa9a727a2cb4777fddf9055ea6869, 'No sample in VT\r\nLast check:26/01/2026'
sha1, b787f9a84151caf4a7f727a292216f3674c8662a, 'No sample in VT\r\nLast check:26/01/2026'
md5, 49f91198715119d68f2f5da98b77cfa9, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 2149d796535e0eb084820976a6c7a036786760adfc14332632dc0f2ee020ee5b, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 481d3831de6d7a34669b56ec222fd91bbda69376, 'No sample in VT\r\nLast check:26/01/2026'
md5, 68bdf29eea8b4270c10b880d34e57024, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 282156d15c07da7aecf15fb7d1744a1283e8a3f5bb055815ba8108ede0ace588, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 12b9fe55cd97aab0e41066c7b29dad5c123da620, 'No sample in VT\r\nLast check:26/01/2026'
md5, 7ffe4a86e435275af888c0c7c2512033, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 8635a715da2430542c7cb90e94b3c1fe0f95dcd8c7ed837d0fa4a4ce643db6c7, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 9cc7247ea2d494f1dd36fd9fd4a61500a9731833, 'No sample in VT\r\nLast check:26/01/2026'
md5, 0b74b909adfadbb90808352a3c694b9c, 'No sample in VT\r\nLast check:26/01/2026'
sha256, 28eeb9e47996434c07e84b733931f2b801cda21032e9af5d25f170454339f479, 'No sample in VT\r\nLast check:26/01/2026'
sha1, 748d6df07c7287090e286da68906908443bd5221, 'No sample in VT\r\nLast check:26/01/2026'
md5, cba9544d540ebb5d86907645f376f86c, 'No sample in VT\r\nLast check:26/01/2026'
hostname, nfc.rc8820.com, ''
domain, xxnfc.com, ''
domain, txnfc.com, ''
hostname, apk.nfu20251021.win, ''
hostname, app.nfu1010.com, ''

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2026-01-07 Ghost Tapped Tracking the Rise of Chinese Tap-to-pay Android Malware

Indicator of Compromise (IoCs)

Graph View