Android and iOS users blackmailed by 'Goontact' spyware

Security researchers have discovered a new variant of spyware that's targeting iOS and Android users as part of an international sextortion scam.

According to a blog post by researchers at cyber security firm Lookout, the spyware, called Goontact, has been found in multiple Asian countries and targets users of illicit sites and steals personal information stored on their mobile devices.

Researchers said the types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.

The spyware often disguises itself as secure messaging applications and can exfiltrate a wide range of data, such as device identifiers and phone number, contacts, SMS messages, photos on external storage, and location information.

While it is not presently known who is behind Goontact, it is the newest addition to a crime affiliate’s arsenal, rather than nation-state actors, said researchers.

This fraud begins when potential targets are lured into initiating a conversation on websites offering escort services. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation.

“In reality, the targets are communicating with Goontact operators. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain,” said researchers.

Based on investigations carried out by researchers, the campaign has been active since at least 2013. However, the Goontact malware family is novel and is still actively being developed.

“The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame,” researchers said.

While the Goontact surveillance apps described in this campaign are not available on Google Play or the Apple App Store, the duration, tactics, and breadth exhibited highlight the lengths to which malicious actors will go to deceive victims and bypass built-in protections.

“It’s no secret that mobile devices are a treasure trove for cyber criminals,” said Phil Hochmuth, programme vice president of Enterprise Mobility at IDC.

“As the use of mobile devices continues to increase, so does the maturity of iOS and Android cybercrime. Now more than ever, consumers must be proactive in avoiding compromise with iOS and Android threat actors whose main objective is to fleece them financially.”