A sneaky Android spyware called GhostChat, which tricks Pakistan-based users with romance scams via WhatsApp.
The malware grabs sensitive data like contacts, photos, and files from victims’ devices.
Threat actors pose as dating apps to hook targets. GhostChat mimics a legit chat platform named “Dating Apps without payment,” stealing its icon for trust. Users must sideload the APK since it’s not on Google Play.
The app demands permissions right away. It shows a login screen with hardcoded credentials: username “chat,” password “12345.” After login, 14 fake female profiles appear, each locked behind preset codes shared with victims.
These profiles link to Pakistani WhatsApp numbers (+92 codes). Victims enter a code, then get redirected to WhatsApp for chats run by attackers. This builds false exclusivity, masking the spyware’s real goal: constant spying.
Stealthy Data Theft
GhostChat activates in the background, even before login. It exfiltrates device ID, full contact lists as text files, and stored files like images, PDFs, Word docs, Excel sheets, and PowerPoint files to a C&C server at hitpak[.]org.
The malware sets content observers for new photos, uploading them instantly. It also runs tasks every five minutes to scan and steal fresh documents. This ensures ongoing surveillance without user notice.
Detected as Android/Spy.GhostChat.A, it evades basic checks. Google Play Protect now blocks known samples, thanks to ESET’s report as an App Defense Alliance partner.
The same actors run linked operations. Analysis of the C&C server uncovered batch scripts that fetch and run a DLL from hitpak[.]org/notepad2[.]dll. These use “ClickFix” tricks: fake alerts push users to execute malicious code via rundll32.exe.
One site, buildthenations[.]info/PKCERT/pkcert.html, impersonates Pakistan’s PKCERT. It warns of fake national threats, urging clicks that download file.dll (SHA-1: 8B103D0AA37E5297143E21949471FD4F6B2ECBAA, detected as Win64/Agent.HEM).
This DLL phones home with machine details, then polls every five minutes for base64-encoded PowerShell commands.
It runs them hidden: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command “…”. No payloads were active during checks.
WhatsApp Hijacking
Attackers also exploit WhatsApp linking. Fake Ministry of Defence pages push QR codes for “community joins.” Scanning links the victim’s phone to the attacker’s WhatsApp Web, dubbed GhostPairing.
welivesecurity Victims see a new device notification after two hours, but damage is done. Attackers read chats, contacts, and history with full owner access. This echoes past tactics like BadBazaar against Signal.
Spotted September 11, 2025, via VirusTotal upload from Pakistan, GhostChat (SHA-1: B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A, filename Live Chat.apk) targets locals with cultural lures.
No firm attribution yet, but multiplatform ties suggest a coordinated espionage push.
C&C IP 188.114.96[.]10 (Cloudflare-hosted) ties it all. Full IoCs live on ESET’s GitHub.
- Block unknown APK installs; stick to Google Play.
- Scrutinize app permissions and odd logins.
- Watch WhatsApp for unknown linked devices; revoke via settings.
- Enable Play Protect; scan with tools like ESET Mobile Security.
- Report fakes: [email protected].
This campaign blends social engineering, mobile malware, and cross-platform tricks. Android users in Pakistan face high risk stay alert to dodge GhostChat’s shadow.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
