December 16, 2020

Goontact: iOS and Android Malware

Discovered By
Lookout
Entry Type
Security Guidance
Threat Type
Malware
Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Surveillanceware
Platform(s) Affected
Lookout
Security Guidance
Malware
iOS
Android
Surveillanceware

How Lookout Detects and Protects Against Surveillanceware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted to this specific campaign, and Lookout also protects against other sophisticated surveillanceware that could go undetected.

To learn more about the technical specifications of this campaign, including IOCs, read the full article here.

Key Findings

  • Operated by an active crime group and continuously being developed.
  • There are both iOS and Android components of this surveillanceware.
  • Victims are lured in on illicit sites that act as middlemen to set up chats and dates with women.

Background and Discovery Timeline

The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in China, Korea and Japan. The malware, named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used and the information they exfiltrate suggest that the ultimate goal is extortion or blackmail.

These sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people across multiple Asian countries. The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with sex workers. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised as the best forms of communication and the individual initiates a conversation. In reality, the targets are communicating with Goontact operators.

Capabilities and Affected Parties

Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain. Additional data that can be exfiltrated includes:

- Device Identifiers  - Phone number - Contacts - SMS Messages - Photos on external storage - Location information

How Lookout Detects and Protects Against Surveillanceware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted to this specific campaign, and Lookout also protects against other sophisticated surveillanceware that could go undetected.

To learn more about the technical specifications of this campaign, including IOCs, read the full article here.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 22, 2023

iOS 16.6.1 and iOS 17.0

Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.

September 15, 2023

Scattered Spider

September 19, 2023

CVE-2023-4863