A new Android spyware campaign, dubbed GhostChat, is targeting users in Pakistan through a sophisticated romance scam. The malware disguises itself as a legitimate chat platform while secretly exfiltrating sensitive personal data from victims’ devices. This attack highlights a growing trend where cybercriminals merge social engineering tactics with advanced spyware capabilities to compromise mobile security.
Researchers discovered the GhostChat spyware after a suspicious Android application was uploaded to VirusTotal from Pakistan in September 2025. The malicious app masquerades as a dating application named “Dating Apps without payment,” utilizing the icon of a legitimate app found on Google Play. However, this rogue version has never been distributed through official app stores, necessitating manual installation by users who must enable permissions for applications from unknown sources. This bypasses detection mechanisms like Google Play Protect during the initial installation phase.
Analysts at Welivesecurity detailed how GhostChat employs an unusual deceptive tactic. The application presents 14 fabricated female profiles, each marked as “Locked” and requiring a passcode for access. These codes are embedded within the application itself and distributed alongside it, aiming to create an illusion of exclusive access for potential victims. Upon entering a correct unlock code, users are redirected to WhatsApp to initiate conversations with phone numbers controlled by the threat actors. These numbers are all registered with Pakistani country codes, adding a layer of apparent credibility to the scam.
GhostChat Spyware: Infection Mechanism and Persistence Tactics
While users engage with what they believe are genuine dating profiles, the GhostChat spyware operates covertly in the background, exfiltrating device data to a command-and-control server. The malware immediately begins collecting device identifiers, contact lists, and files stored on the device, including images, PDFs, and Microsoft Office documents. GhostChat establishes continuous surveillance by implementing content observers that monitor newly created images and schedule periodic scans every five minutes to detect new documents. This ensures ongoing data harvesting throughout the duration of the infection.
Upon installation, GhostChat requests multiple permissions that appear standard for a chat application but are instrumental in enabling its extensive surveillance capabilities. The spyware leverages Android’s BOOT_COMPLETED broadcast intent, allowing it to automatically activate whenever the device restarts. This ensures its persistent operation even after the device has been rebooted, maintaining its presence undetected.
The malware employs foreground persistence techniques to keep its surveillance service running continuously without user awareness. This method actively prevents Android’s battery optimization features from terminating the spyware process, thereby maintaining uninterrupted access to the device’s resources and capabilities. Communication with its command-and-control infrastructure is conducted using HTTPS requests, which helps to obscure the malicious traffic as it closely resembles legitimate encrypted communications, making detection more challenging.
GhostChat’s underlying architecture supports both immediate data exfiltration upon the first execution of the app and sustained monitoring throughout the infection lifecycle. This creates a comprehensive surveillance framework that operates independently of any user interaction with the deceptive fake dating interface, posing a significant threat to user privacy and data security on Android devices.
The continued evolution of such sophisticated mobile malware underscores the importance of user vigilance and security best practices. Keeping Android devices updated, exercising caution with app installations from unofficial sources, and being wary of unsolicited romantic advances online are crucial steps in mitigating the risks associated with campaigns like GhostChat. Further investigations are expected to reveal the full extent of this campaign and the specific actors behind it.