Love? Actually: Fake Dating App Used as Lure in Targeted Spyware Campaign in Pakistan

Romance‑scam malware has evolved beyond simple phishing, and GhostChat exemplifies this shift. By disguising itself as a chat platform that promises access to locked female profiles, the app taps into emotional incentives that are especially potent in regions where online dating is emerging. The hard‑coded unlock codes reinforce a sense of exclusivity, compelling victims to install the app from unknown sources—a tactic that bypasses traditional app‑store safeguards and highlights the growing sophistication of mobile threat actors targeting specific demographics.

Technically, GhostChat requests extensive permissions at install time and immediately begins background surveillance. It harvests device identifiers, contact lists, and a wide range of file types, uploading them to a C&C server via HTTPS. The malware also installs a content observer to capture newly created images and schedules periodic scans for documents, ensuring continuous data leakage. Hard‑coded credentials and static WhatsApp numbers embedded in the app prevent remote updates, indicating a tightly controlled operation where the attacker distributes both the app and the unlock codes together.

The GhostChat campaign does not operate in isolation; it is linked to a ClickFix attack that tricks users into executing malicious DLLs on Windows machines and a WhatsApp‑pairing scheme that grants attackers full access to victims' messaging accounts. This multi‑vector approach amplifies the espionage impact, compromising both mobile and desktop environments. While Google Play Protect now blocks known variants, the reliance on sideloaded apps and impersonated government sites means organizations must reinforce endpoint security, educate users about unconventional lures, and monitor network traffic for anomalous exfiltration patterns.