Lookout
Threat Guidances
Malware
iOS
Android
Spyware
December 16, 2020

Goontact: iOS and Android Malware

How Lookout Detects and Protects Against Surveillanceware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted to this specific campaign, and Lookout also protects against other sophisticated surveillanceware that could go undetected.

To learn more about the technical specifications of this campaign, including IOCs, read the full article here.

Key Findings

  • Operated by an active crime group and continuously being developed.
  • There are both iOS and Android components of this surveillanceware.
  • Victims are lured in on illicit sites that act as middlemen to set up chats and dates with women.

Background and Discovery Timeline

The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in China, Korea and Japan. The malware, named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used and the information they exfiltrate suggest that the ultimate goal is extortion or blackmail.

These sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people across multiple Asian countries. The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with sex workers. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised as the best forms of communication and the individual initiates a conversation. In reality, the targets are communicating with Goontact operators.

Capabilities and Affected Parties

Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain. Additional data that can be exfiltrated includes:

- Device Identifiers  - Phone number - Contacts - SMS Messages - Photos on external storage - Location information

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Discovered By
Lookout
Entry Type
Threat Guidances
Threat Type
Malware
Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Spyware
Platform(s) Affected
Lookout
Threat Guidances
Malware
iOS
Android
Spyware

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell