Current campaign shows how effective social manipulation is
Online dating is a popular hunting ground for cybercriminals. Security researchers at ESET have now uncovered a digital romance scam in Pakistan that is completely new in this form. Hackers use a manipulated Android app as bait to spy on unsuspecting users. The malware disguises itself as a dating app and intercepts sensitive data from infected mobile devices.
“Beneath its romantic façade, the app’s real purpose is to spy on its victims’ data. The sophisticated data theft begins immediately after installation and continues as long as the app is active on the device,‘ explains ESET researcher Lukas Stefanko, who investigated the campaign.
Romance scam: Gateway to surveillance
At the heart of the campaign is an Android spyware called ’GhostChat”. The app was never available in the Google Play Store, but had to be installed manually from third-party sources. Visually, it pretends to be a harmless chat platform, but in fact it is used exclusively for covert surveillance. As soon as it is launched, GhostChat begins collecting data in the background and transmits device identifiers, contact lists and files such as images and documents to a command and control server.
Exclusivity as a psychological lever
The attackers’ targeted psychological approach is striking. Within the app, victims are shown supposedly blocked female profiles that can only be unlocked after entering special access codes. However, these codes are hard-coded into the program and serve solely to create an impression of exclusivity. After activation, the app redirects users to WhatsApp. This is where communication with the stored Pakistani phone numbers begins. Instead of the beloved, however, the numbers are actually connected to the attackers themselves.
‘This malware deceives in a way we have never seen before,’ says ESET researcher Lukas Stefanko, who investigated the campaign. ‘The combination of feigned scarcity and locally acting contacts specifically increases the credibility of the scam and lowers the inhibition threshold of those affected.’
Part of a larger espionage operation
The investigations also show that GhostChat is only one component of a more comprehensive surveillance campaign. The same infrastructure was also used for attacks on Windows computers: here, the cybercriminals tricked their victims into executing malicious code themselves via fake websites purporting to be from Pakistani authorities. Cybersecurity experts call this combination of social engineering and execution by the victims ‘ClickFix’.
At the same time, the researchers identified another attack method in which hackers compromise WhatsApp accounts via the device linking function. Users were tricked into linking their accounts to the attackers’ devices using a QR code. This gave the perpetrators access to private chats and contact lists without having to take over the account itself.
Targeted, coordinated and difficult to trace
According to the researchers, the combination of mobile spyware, desktop attacks and the exploitation of popular communication services points to a coordinated, cross-platform espionage campaign. Although the operation cannot yet be clearly attributed to any known actor, the clear focus on Pakistani users and the imitation of state institutions suggest a high degree of preparation and precision. Android users with Google Play Protect enabled are protected.
‘This case illustrates how effective social manipulation can be when combined with technically simple malware,’ concludes Stefanko. ‘The better hackers can assess their victims and understand local conditions, the more successful they are.’
Further information on the current case can be found in ESET’s blog post ‘Love hacks – How a fake app lures unsuspecting users into a trap (https://www.welivesecurity.com/de/eset-research/love-hacks-wie-eine-fake-app-ahnungslose-nutzer-in-die-falle-lockt)’.
