Android Spyware Campaign: Deceptive Romance Tactics Target Pakistan Users
TL;DR: ESET researchers have identified a spyware campaign in Pakistan that uses a faux chat app named GhostChat, masquerading as a dating platform to harvest sensitive data from victims. The attack also features additional tactics, including ClickFix malware distribution and WhatsApp account hijacking.
A recent investigation by ESET reveals an espionage campaign targeting users in Pakistan, employing a malicious Android application called GhostChat. This app masquerades as a chat platform for dating, creating an illusion of exclusivity through locked profiles which require passcodes to access. These codes are hardcoded into the app, indicating a socially engineered trap for victims seeking romantic interactions. Once the app is installed, it not only exfiltrates sensitive device data but also continuously monitors activity, thus functioning as a sophisticated surveillance tool.
The threat actor behind GhostChat is linked to broader malicious activities, specifically a ClickFix attack that exploits users into inadvertently executing malicious code on their computers. This attack employs deceptive websites impersonating Pakistani governmental organizations to lure victims into running a payload. Furthermore, the same threat actor has executed a WhatsApp linking attack, known as GhostPairing, enabling them to access victims’ chat histories by tricking users into connecting their devices to a threat actor’s account.
Why this matters: This spyware campaign exemplifies advanced social engineering tactics and a diversified approach to data exfiltration, endangering personal security for countless users in Pakistan. The implications of such a surveillance operation underline the necessity for robust countermeasures from security professionals.
Utilizing threat intelligence, SIEMs, and robust monitoring practices can mitigate risks associated with similar attacks. Ensuring that users are educated on suspicious applications and phishing tactics becomes paramount for defenders.
Indicators of Compromise (IOCs):
Malware:
- SHA-1: B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A – GhostChat spyware (Android/Spy.GhostChat.A)
- SHA-1: 8B103D0AA37E5297143E21949471FD4F6B2ECBAA – ClickFix payload (Win64/Agent.HEM)
Network:
- IP: 188.114.96[.]10 – hitpak[.]org, used as a distribution and C&C server.
