Fake GhostChat Dating App Used in Targeted Android Spyware Campaign Against Pakistani Users
ESET researchers have uncovered an Android spyware campaign using a fake dating app called GhostChat to target individuals in Pakistan, exfiltrating sensitive data through hardcoded access codes and fake female profiles.
ESET researchers have uncovered an Android spyware campaign that leverages romance scam tactics to target individuals in Pakistan. The campaign uses a malicious app named GhostChat (detected as Android/Spy.GhostChat.A), which poses as a chat platform with locked female profiles. However, the access codes are hardcoded in the app, serving as a social engineering lure to create the illusion of exclusive access. Once installed, GhostChat silently exfiltrates sensitive data from the victim's device, both upon first execution and continuously while the app remains installed.
The malicious app, never available on Google Play, requires manual installation from unknown sources. Upon execution, it requests several permissions and presents a login screen with hardcoded credentials (username: chat, password: 12345). After login, victims see 14 female profiles, each locked and requiring an unlock code—also hardcoded. Each profile is linked to a specific WhatsApp number with a Pakistani (+92) country code, reinforcing the scam's credibility. The threat actor likely distributes both the app and the access codes together.
While victims engage with the app, GhostChat runs in the background, monitoring device activity and exfiltrating data to a command-and-control (C&C) server. ESET's analysis revealed that the same threat actor operates a broader spy operation, including a ClickFix attack that compromises victims' computers and a WhatsApp device-linking attack that gains access to victims' WhatsApp messages. These related attacks use websites impersonating Pakistani governmental organizations as lures.
The campaign appears focused on Pakistan, but ESET lacks sufficient evidence to attribute it to a specific threat actor. As an App Defense Alliance partner, ESET shared its findings with Google. Android users are automatically protected against known versions of this spyware by Google Play Protect, which is enabled by default on devices with Google Play Services.
This discovery highlights the evolving sophistication of mobile spyware campaigns, blending social engineering with technical deception. The use of hardcoded credentials and unlock codes, combined with fake profiles and local phone numbers, creates a convincing lure that targets individuals in a specific geographic region. The broader spy operation, including ClickFix and WhatsApp attacks, underscores the threat actor's multi-vector approach to surveillance.
Organizations and individuals in Pakistan should remain vigilant against unsolicited app installations and verify the authenticity of any communication claiming to be from government entities. ESET's research provides a detailed breakdown of the attack flow, including the hardcoded credentials and WhatsApp numbers, enabling defenders to detect and block similar threats.