Full Report
ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation
Analysis Summary
# Threat Actor: Unidentified Actor (Associated with GhostChat operation)
## Attribution & Identity
Attribution to a specific threat actor is currently unknown due to insufficient evidence. The operation is linked to a broader spy campaign evidenced by related PC and WhatsApp compromise activities.
## Activity Summary
The primary recent activity involves an Android spyware campaign using a malicious application named **GhostChat**. This campaign leverages **romance scam tactics** targeting users in Pakistan by posing as an exclusive dating chat platform. This app harvests data immediately upon execution and continuously while installed. The same threat actor is also linked to a broader spy operation including a "ClickFix" PC compromise attack and a WhatsApp device-linking attack focusing on gaining access to user accounts.
## Tactics, Techniques & Procedures
- **Social Engineering/Lure:** Utilizing romance scam tactics involving fake female profiles that are presented as "locked" to create an impression of exclusivity.
- **Malicious Application:** Use of the Android spyware **GhostChat** (detected as Android/Spy.GhostChat.A), distributed outside of official channels (not on Google Play).
- **Deceptive Authentication:** Employing hardcoded, non-server-validated credentials for app login and "unlock codes" for profiles, distributed alongside the app itself.
- **Data Exfiltration (Initial):** Stealing device ID and the victim's contact list (.txt file) upon first execution.
- **Persistent Surveillance:** Setting up a content observer to monitor and upload newly created images immediately.
- **Scheduled Data Harvesting:** Scheduling a periodic task (every five minutes) to scan for and upload new documents (Word, Excel, PPT, PDF, images, Open XML files).
- **Related TTPs (Broader Operation):** Using websites impersonating Pakistani governmental organizations as lures for a "ClickFix" attack leading to PC compromise, and exploiting the WhatsApp device-linking feature.
## Targeting
- **Sectors:** Not explicitly stated, but implied targeting of individuals susceptible to online romance scams.
- **Geography:** Pakistan (confirmed via usage of Pakistani (+92) country code phone numbers embedded in the app).
- **Victims:** General Android users in Pakistan targeted via social engineering.
## Tools & Infrastructure
- **Malware Families Used:** GhostChat (Android/Spy.GhostChat.A).
- **Infrastructure (C2, domains, IPs):** Communications route to a C&C server for file exfiltration, though specific addresses were not detailed in the summary provided. WhatsApp numbers with Pakistani (+92) country codes are embedded and linked to the scam profiles.
## Implications
This campaign demonstrates a mature, multi-faceted surveillance operation originating in Pakistan, capable of running simultaneous mobile (Android spyware), PC (ClickFix), and communication application (WhatsApp) compromise activities. The use of localized social engineering (romance scams, local phone numbers) suggests an insider knowledge or focus on the Pakistani user base. The persistent surveillance capabilities of GhostChat pose a significant risk for long-term data theft.
## Mitigations
- Exercise extreme caution regarding apps downloaded from outside official app stores (sideloading).
- Be wary of unsolicited contact or requests promising exclusive access or relationships (romance scams).
- Ensure Google Play Protect is enabled, though this actor's malware has not appeared on Google Play.
- Review and restrict permissions granted to newly installed, unknown applications.