Pakistanis are the target of a cunning Android spyware operation This article explores ghostchat identified android. . GhostChat was identified as Android/Spy.This malicious app, GhostChat.A, poses as a free dating chat service.

It uses phony female profiles that appear to be protected by special passcodes to entice victims. These codes are actually hardcoded into the app as a cunning social engineering ploy to increase urgency and trust. After installation, GhostChat takes control of the device and steals contacts, files, and continuing data, including fresh images and documents. Users must enable Google Play Protect, which blocks known versions.

On September 11, 2025, the app appeared on VirusTotal from Pakistan. It has espionage tools but looks like the icon of a genuine Google Play app. When victims sideload it from unidentified sources, they grant extensive permissions, such as access to contacts and storage.

Hardcoded login credentials (password: 12345, username: chat) are required by a phony login screen. Fourteen locked profiles, each associated with a Pakistani WhatsApp number (+92 prefix), show up after "login." The victims input a second hardcoded code to "unlock" the chat, which is redirected directly to WhatsApp and is probably managed by attackers using local SIM cards.

GhostChat surreptitiously spies throughout. It obtains the device ID, uploads images, PDFs, Word documents, Excel sheets, PowerPoint files, and Open XML formats to a command-and-control (C&C) server, and exports contacts as a.txt file. Every five minutes, it even scans documents and sets observers for fresh images. As a partner in the App Defense Alliance, ESET shared information with Google.

GhostChat Mechanisms and Deception Layers: The flow of GhostChat preys on romance scams.

Although distribution is unknown, exclusivity through codes probably ensnares victims in addition to the APK. Attack flow for GhostChat (Source: welivesecurity) Without server validation, the app, logins, unlocks, and WhatsApp links are all bundled. This conceals its actual objective—persistent surveillance—by creating the illusion of "VIP access."

Technical breakdown demonstrates brutal efficiency. Data is immediately exfiltrated by background tasks after permissions. Periodic jobs search for files; content observers find new media. Decompiled code describes how HTTP posts are used for C&C communication.

Even before logging in, the app remains hidden. ESET emphasizes that risks are increased by manual installs. Android users should maintain Play Protect enabled and only use the Play Store. Associated Attacks Make a Wider Spy Network Public ESET connected GhostChat to a multi-phase campaign by the same actor, according to welivesecurity.

Batch scripts that downloaded a DLL from hitpak[. ]org/notepad2.dll were hosted on the C&C server. These employed the "ClickFix" trick, which uses fictitious instructions to trick users into running malware.

When GhostChat runs, it asks for a number of permissions (Source: welivesecurity). GhostPairing is an additional strategy. In order to connect victims' WhatsApp to attackers' devices, the same domain pretended to be Pakistan's Ministry of Defense and enticed QR code scans. Similar to previous operations like China-linked BadBazaar on Signal, this provides full chat access.

An unlock code is needed to chat (Source: welivesecurity). Although there is currently no definitive attribution, Pakistani emphasis and authority impersonation point to possible local espionage connections. Live IoCs and samples are available on ESET's GitHub. Type of Indicator Package of Value The URL is com.datingbatch.chatapp.

C&C Domain: hitpak[. ]org Fake Websites: buildthenations[. ]info, foxy580.github[. ]io DLL Payload file.dll, notepad2.dll Hardcoded Chat Login / 12345