A sophisticated Android spyware campaign targeting individuals through a deceptive mobile application dubbed “GhostChat.” This malware, detected as Android/Spy.GhostChat.A, disguises itself as a legitimate dating and chat platform to facilitate cyberespionage This article explores android spy ghostchat. . The operators employ a combination of romance scam tactics and social engineering to infect devices, exfiltrate sensitive data, and monitor user activity. GhostChat attack flow (Source: welivesecurity) Deceptive Tactics and Hardcoded Credentials The GhostChat application is distributed outside of the Google Play Store, requiring users to manually install the APK and grant permissions from unknown sources. The app mimics the icon of a legitimate application known as “Dating Apps without payment” to lower user suspicion. Once installed, the application employs a unique social engineering lure. It presents the user with a login screen that does not communicate with a remote server. Instead, the credentials username “chat” and password “12345” are hardcoded directly into the application’s binary. This implies that in order to give the app a sense of exclusivity, the threat actors probably distribute these particular credentials along with it. Inside the app, victims are presented with a list of fake female profiles marked as “Locked.” To interact with these profiles, users must enter specific unlock codes. These codes are hardcoded and not remotely validated, just like the login credentials. When unlocked, the app redirects the user to WhatsApp to initiate a conversation with a specific number (+92 country code), likely controlled by the threat actors. Surveillance Capabilities and Data Exfiltration While the user navigates the fake dating interface, GhostChat executes its primary malicious function in the background. The spyware silently exfiltrates device information and user data to a command and control (C2) server. File exfiltration to C&C server (in the green outline) (Source: welivesecurity) The malware harvests the device ID and the victim’s contact list, uploading them as a text file. It also scans the device storage for specific file formats, including images, PDF documents, Word documents, Excel spreadsheets, and PowerPoint presentations. GhostChat continues to be persistent and actively monitored after the initial theft. It establishes a content observer to detect newly created images and schedules a periodic task to scan for new documents every five minutes, ensuring continuous monitoring of the infected device. The welivesecurity investigation revealed that the operators behind GhostChat are running a multi-platform espionage campaign. This broader operation includes a “ClickFix” attack targeting Windows systems and a device-linking attack aimed at compromising WhatsApp accounts. In the Windows vector, attackers utilize a fake website impersonating Pakistan’s Computer Emergency Response Team (PKCERT). The site displays a fabricated security warning urging users to update their systems. If users comply, they are tricked into executing a PowerShell script that downloads a malicious DLL payload (file.dll). This payload connects to the C2 server at hitpak[.]org and awaits base64-encoded PowerShell commands, allowing for remote code execution (RCE). Simultaneously, the actors use a fake Pakistan Ministry of Defence website to conduct a “GhostPairing” attack. This technique lures victims into scanning a QR code under the guise of joining a community channel. In reality, scanning the code links the victim’s WhatsApp account to the attacker’s device via WhatsApp Web, granting the threat actor full access to the victim’s chat history and contacts. Indicators of Compromise (IoCs) Indicator Type Value Description File Hash (SHA-1) B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A Live Chat.apk (Android/Spy.GhostChat.A) File Hash (SHA-1) 8B103D0AA37E5297143E21949471FD4F6B2ECBAA file.dll (Win64/Agent.HEM) C2 Domain hitpak[.]org Distribution and C2 server C2 Domain buildthenations[.]info Hosting for fake PKCERT and MoD sites C2 URL https://hitpak[.]org/notepad2.dll Payload download location C2 URL https://foxy580.github[.]io/koko/file.dll Payload download location Package Name com.datingbatch.chatapp GhostChat Android Package Attacked App WhatsApp Target for device linking attacks