GhostChat
GhostChat is an Android spyware family identified by ESET and tracked as Android/Spy.GhostChat.A. It is used in a romance-scam campaign targeting individuals in Pakistan. The malware is distributed outside official app stores as a sideloaded APK, including a fake dating/chat application masquerading as “Dating Apps without payment” and using the icon of a legitimate Google Play app. Victims must enable installation from unknown sources, and the lure uses hardcoded credentials and 14 fake female profiles marked as locked; after entering hardcoded unlock codes, victims are redirected to WhatsApp numbers with Pakistani +92 country codes that are believed to be operated by the threat actor.
Its primary purpose is covert data exfiltration and ongoing surveillance. On first execution, GhostChat exfiltrates device identifiers, the victim’s contact list, and files stored on the device. It targets images, PDFs, and Microsoft Office/Open XML documents, and continues collection after installation by monitoring newly created images via a content observer and scanning for new documents every five minutes. Reporting also states that GhostChat has been observed targeting messaging app users via malicious APKs impersonating chat tools such as WhatsApp, operating in the context of trusted messaging applications to intercept messages, harvest credentials, and exfiltrate contact lists and media.
For persistence, GhostChat uses the Android BOOT_COMPLETED broadcast to restart after reboot and foreground-service techniques to keep its surveillance component running and reduce the chance of termination by battery optimization. It communicates with command-and-control infrastructure over HTTPS. ESET reported the campaign was discovered from a sample uploaded to VirusTotal from Pakistan in September 2025 and stated there was insufficient evidence to attribute the activity to a specific threat actor. Related infrastructure included hitpak[.]org, identified as distribution/C2 infrastructure and hosted behind Cloudflare at 188.114.96[.]10.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android spyware delivered as a malicious dating chat app in romance-scam activity targeting individuals in Pakistan; used to exfiltrate victim data (distribution method not confirmed in the content).
Android malware distributed as trojanized chat-app APKs. After installation it injects code into the target app process to intercept messages, steal credentials, and exfiltrate contacts and media, blending into normal messaging-app activity to evade detection.
Android spyware distributed via romance-scam social engineering using a malicious app disguised as a chat service (routing conversations through WhatsApp) with the primary goal of stealing data from infected devices.
Android spyware distributed via romance-scam social engineering using a malicious app disguised as a chat service (routing conversations through WhatsApp) whose primary function is to steal data from infected devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.