ESET researchers have uncovered an Android spyware campaign that leverages romance scam tactics to target individuals in Pakistan. The operation revolves around a malicious Android application masquerading as a chat and dating platform. On the surface, the app appears to let users initiate conversations with specific “girls.” In reality, these profiles are fake and are most likely operated by the threat actor through WhatsApp accounts.
Behind this fabricated romance scenario, the true purpose of the application—named GhostChat by ESET—is the covert exfiltration of sensitive data from victims’ devices. Data theft begins immediately upon first execution and continues for as long as the app remains installed.
A notable aspect of this campaign is a deceptive mechanism not previously observed in similar mobile spyware operations. The female profiles presented in GhostChat appear locked and require special passcodes to access. However, these codes are hardcoded directly in the app and are never validated remotely. This mechanism serves purely as a social engineering tactic designed to create an illusion of exclusivity and personalized access for potential victims. While the exact distribution method of the app is unknown, it is likely that these access codes are shared alongside the app as part of the lure.
Further investigation indicates that GhostChat is only one component of a larger espionage operation. The same threat actor appears to be responsible for additional attacks, including a ClickFix-based campaign targeting desktop systems and a WhatsApp device-linking attack that enables access to victims’ WhatsApp accounts. These related operations relied on websites impersonating Pakistani government organizations, significantly broadening the surveillance scope.
GhostChat, detected by ESET as Android/Spy.GhostChat.A, has never been distributed via Google Play. As an App Defense Alliance partner, ESET shared its findings with Google. Android users are automatically protected against known variants of this spyware through Google Play Protect, which is enabled by default on devices with Google Play Services.
Key Findings
- ESET researchers identified an Android spyware campaign using romance scam tactics to target users in Pakistan.
- The malicious app, GhostChat, poses as a dating chat platform with locked female profiles, creating a false sense of exclusive access.
- All login credentials and profile unlock codes are hardcoded, confirming that this mechanism is purely social engineering.
- Once installed, GhostChat enables covert surveillance and continuous exfiltration of sensitive data.
- The same threat actor is linked to additional operations, including a ClickFix desktop attack and a WhatsApp account hijacking campaign via device linking.
Campaign Overview
On September 11th, 2025, a suspicious Android application was uploaded to VirusTotal from Pakistan. Analysis revealed that the app used the icon of a legitimate dating application but lacked any of its actual functionality. Instead, it functioned solely as a lure and a tool for mobile espionage.
The malicious app, GhostChat, was never available on Google Play and required manual installation. Victims had to explicitly enable the installation of apps from unknown sources. Once installed, the operators gained the ability to monitor the device and exfiltrate sensitive data.
Although the campaign appears to be geographically focused on Pakistan, there is currently insufficient evidence to attribute it to a known threat actor or group.
Attack Flow and Initial Infection
The attack begins with the distribution of GhostChat, an Android application using the package name com.datingbatch.chatapp. The app is disguised as a legitimate chat platform named Dating Apps without payment. While this legitimate app exists on Google Play, it is unrelated to GhostChat aside from the misuse of its icon. The source and exact distribution mechanism of GhostChat remain unknown.
Upon execution, GhostChat requests several Android permissions. Once permissions are granted, the app presents a login screen that requires users to enter credentials to proceed.
Unlike legitimate authentication systems, the credentials are hardcoded directly into the app’s source code and are never processed by any backend server. The hardcoded credentials are:
- Username: chat
- Password: 12345
This strongly suggests that both the app and the credentials are distributed together by the threat actor.
Fake Profiles and WhatsApp Redirection
After logging in, victims are shown 14 female profiles, each displaying a name, age, and photograph. All profiles are marked as Locked. When a user taps on a profile, they are prompted to enter an unlock code.
These unlock codes are also hardcoded in the application and are not validated remotely, indicating they are likely preshared with victims. Each profile is associated with a specific WhatsApp phone number using Pakistan’s +92 country code. These phone numbers are embedded directly in the app and cannot be changed remotely.
This setup suggests that the operator either controls multiple Pakistani SIM cards or relies on a third-party SIM provider. The use of local numbers enhances credibility by reinforcing the illusion that the profiles belong to real individuals based in Pakistan.
Once the correct unlock code is entered, GhostChat redirects the victim to WhatsApp to initiate a conversation with the associated number, which is presumably operated by the threat actor.
Data Exfiltration and Surveillance Capabilities
While victims interact with the app—often even before logging in—GhostChat operates silently in the background. It monitors device activity and exfiltrates sensitive data to a command-and-control (C&C) server.
The initial data exfiltration includes:
- Device ID
- Contact list saved as a .txt file and uploaded from the app’s cache
- Stored files, including images, PDFs, Microsoft Word, Excel, PowerPoint documents, and Open XML file formats
Beyond this initial data theft, GhostChat performs continuous surveillance. It registers a content observer to monitor newly created images and uploads them as soon as they appear. Additionally, it schedules a periodic task that scans for new documents every five minutes, ensuring persistent data harvesting.
Related Infrastructure and Additional Malware
During the investigation, ESET identified related activity tied to the same C&C infrastructure. Analysis revealed three additional malicious files communicating with the same server: two batch scripts and one DLL file.
The batch scripts were designed to download and execute a DLL payload from: https://hitpak.org/notepad2.dll
At the time of analysis, the DLL was no longer available, but the scripts clearly demonstrate the intent to deliver and execute malicious code on Windows systems. The script includes commands to download the DLL using PowerShell, wait briefly, and execute it using rundll32.exe.
ClickFix Desktop Attack
A separate ClickFix-based attack was also identified. The payload for this attack was a DLL hosted at: https://foxy580.github.io/koko/file.dll
ClickFix is a social engineering technique that relies on tricking users into manually executing malicious code by following deceptive instructions. In this campaign, victims were directed to a fake website impersonating Pakistan’s Computer Emergency Response Team (PKCERT) at: https://buildthenations.info/PKCERT/pkcert.html
The website displayed a fabricated security warning claiming that national infrastructure and government networks were at risk. Users were urged to click an “Update” button, which triggered ClickFix instructions leading to the download and execution of the malicious DLL. This campaign was publicly identified by a self-described security researcher, 0XYC, on X.
DLL Payload Behavior
Once loaded, the DLL establishes communication with its C&C server by sending the compromised machine’s computer name and username to: https://hitpak[.]org/page.php?tynor=<ComputerName>sss<Username>
If the DLL cannot retrieve this information, it substitutes default placeholders—UnUsr for unknown user and UPC for unknown PC—to ensure communication continues.
After the initial handshake, the DLL enters an infinite loop, polling the C&C server every five minutes for instructions. The server responds with base64-encoded PowerShell commands, which are executed silently using: powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden
This allows the operator to execute arbitrary PowerShell commands without triggering visible alerts. At the time of analysis, the server did not return active payloads, suggesting a dormant stage or selective targeting.
WhatsApp Device-Linking Attack
In addition to desktop targeting, the domain buildthenations.info was used in a mobile-focused WhatsApp attack. Victims were lured into joining what appeared to be an official Pakistan Ministry of Defence WhatsApp community by scanning a QR code.
This technique, referred to as GhostPairing, exploits WhatsApp’s legitimate device-linking feature. By scanning the QR code, victims unknowingly linked their WhatsApp account to the attacker’s device, granting access to chat history and contacts.
After linking, victims would see a new device listed in their WhatsApp settings. Within hours, WhatsApp typically sent notifications alerting users that another device had been linked to their account.
Conclusion
This investigation reveals a coordinated and multifaceted espionage campaign targeting users in Pakistan. At its core is GhostChat, a malicious Android application disguised as a chat platform and enhanced with an unusual romance scam tactic involving credentials and unlock codes.
Once installed, GhostChat silently exfiltrates sensitive data and continuously monitors the device. The campaign’s links to ClickFix-based desktop attacks and WhatsApp account hijacking indicate a broader surveillance strategy spanning both mobile and desktop environments. The attackers rely heavily on impersonation of national authorities, deceptive websites, and QR-code-based device linking to compromise victims.
Indicators of Compromise (IoCs)
A complete list of IoCs and malware samples is available in ESET’s GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A | Live Chat.apk | Android/Spy.GhostChat.A | Android GhostChat spyware |
| 8B103D0AA37E5297143E21949471FD4F6B2ECBAA | file.dll | Win64/Agent.HEM | Windows payload executing PowerShell commands |
Network
| IP | Domain | Hosting Provider | First Seen | Details |
|---|---|---|---|---|
| 188.114.96[.]10 | hitpak[.]org | Cloudflare, Inc. | 2024-12-16 | Distribution and C&C server |
