After entering the correct unlock code, the victim is taken to WhatsApp to start conversations with threat actors' numbers, all of which have Pakistani country codes to increase the scam's legitimacy This article explores ghostchat source welivesecurity. . Attack flow for GhostChat (Source: Welivesecurity) The spyware quietly works in the background, exfiltrating device data to a command-and-control server while victims interact with what they think are authentic dating profiles.

Device identifiers, contact lists, and files—such as pictures, PDFs, and Microsoft Office documents—that are stored on the device are all instantly gathered by the malware. In order to ensure continuous data harvesting throughout the infection period, GhostChat sets up content observers to monitor newly created images and schedules periodic scans every five minutes to detect new documents.

Nevertheless, victims must manually install the malicious version by granting permissions for apps from unidentified sources because it has never been made available through official app stores. By using this distribution strategy, the threat actors are able to evade Google Play Protect's detection during the initial installation stage. GhostChat uses a unique layer of deception that distinguishes it from common mobile threats, according to Welivesecurity analysts.

The app displays fourteen fictitious female profiles, all of which are "Locked" and require passcodes to access. These codes are hardcoded within the application and distributed alongside the app to create an illusion of exclusive access for potential victims.

The application communicates with its command-and-control infrastructure using HTTPS requests, making detection more difficult as the traffic appears similar to legitimate encrypted communications. GhostChat's architecture allows for both continuous monitoring during the infection lifecycle and instantaneous data exfiltration upon initial execution, resulting in a comprehensive surveillance framework that functions independently of user interaction with the phony dating interface. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.

Infection Mechanism and Persistence Tactics GhostChat demonstrates sophisticated infection and persistence mechanisms designed to maintain long-term access to compromised devices. WhatsApp numbers, names, ages, and codes linked to each profile (Source – Welivesecurity) Upon installation, the program asks for a number of permissions that seem normal for a chat program but actually allow for a great deal of surveillance. The spyware ensures continuous operation even after reboots by taking advantage of Android's BOOT_COMPLETED broadcast intent, which enables it to automatically activate whenever the device restarts.

An overview of the associated activities that the investigation found (Source: Welivesecurity) The malware employs foreground persistence techniques to keep its surveillance service continuously running without user awareness. By using this technique, the spyware cannot be stopped by Android's battery optimization features, allowing the device to continue using its resources.

The application uses HTTPS requests to communicate with its command-and-control infrastructure, which makes detection more challenging because the traffic looks like authentic encrypted communications. GhostChat's architecture allows for both continuous monitoring during the infection lifecycle and instantaneous data exfiltration upon initial execution, resulting in a comprehensive surveillance framework that functions independently of user interaction with the phony dating interface. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.