GhostChat Mobile Malware
GhostChat is a malicious Android application that presents itself as a chat or dating platform while secretly operating as spyware. Its primary purpose is to harvest sensitive information from infected devices. Analysis indicates that users in Pakistan are the main targets. Immediate removal is strongly advised if the application is discovered on a device, as continued presence significantly increases the risk of data theft and broader compromise.
Table of Contents
Deceptive Onboarding and Fake Authentication
After installation, GhostChat aggressively requests multiple device permissions. Once granted, users are presented with a login interface that appears to require valid credentials. This process is entirely fraudulent, as the supposed authentication details are hardcoded into the application rather than verified through a legitimate backend service. The login step exists solely to create an illusion of authenticity.
Manipulative User Interaction and WhatsApp Redirection
Following the fake login, the app displays numerous female profiles containing images, names, and ages. None of these profiles are actually accessible. Attempts to interact with them prompt users to enter an 'unlock code.' Each profile is tied to a specific WhatsApp number, and entering the expected code causes the app to automatically open WhatsApp and initiate a conversation with that number, supporting romance-scam and social-engineering activities.
Silent Surveillance and Continuous Data Exfiltration
GhostChat conducts malicious operations in the background from the moment it is launched, even before the login stage. It monitors device activity and transmits collected information to a remote command-and-control (C2) server. The malware periodically scans the device for new content, uploading photos automatically and checking for newly created or stored documents every five minutes. The scope of collected data includes:
Device identifiers, contact lists, images, and documents such as PDFs, Word, Excel, and PowerPoint files
Shared Infrastructure and Desktop Infection Chain
The GhostChat C2 infrastructure is also used to distribute additional malicious components. Among them is a DLL file associated with ClickFix, a technique designed to deceive users into executing malware themselves by following fabricated instructions. This method extends the threat beyond mobile devices and enables the infection of desktop systems.
Abuse of Trusted Identities Through Fake Alerts
ClickFix campaigns linked to GhostChat rely on misleading websites and counterfeit security warnings. In observed cases, attackers impersonate Pakistan's Computer Emergency Response Team, displaying alarming messages about alleged threats to national infrastructure and government networks. Victims are urged to click an 'Update' button, which initiates the download and execution of the malicious DLL. Once active, the DLL reports system details such as the computer name and username to a command server, repeatedly checks for further instructions, and executes received commands using PowerShell.
WhatsApp Account Takeover via QR Code Scams
Threat actors also conduct mobile-centric scams aimed at WhatsApp users. Victims are lured to a fraudulent website claiming affiliation with Pakistan's Ministry of Defence and are encouraged to join a fake community. Scanning a provided QR code links the victim's WhatsApp account to WhatsApp Web or Desktop under attacker control. This grants full access to chats and contacts, effectively allowing account takeover without the user's immediate awareness.
Distribution Strategy and Risk Mitigation
GhostChat is distributed exclusively outside official app marketplaces. It is promoted as a dating or messaging application and relies on romance-scam tactics to persuade users to manually install the APK and enable installation from unknown sources. Once installed, the malware immediately requests permissions and initiates covert spying activities. These coordinated campaigns combine social engineering, spyware, and account hijacking to compromise both mobile and desktop environments. Vigilance against unsolicited links, alarming pop-ups, unofficial apps, and unexpected QR codes remains critical for protecting personal data and user accounts.
