IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Android and iOS users blackmailed by 'Goontact' spyware

The malware targets users of illicit sites and steals personal information stored on their mobile devices

Security researchers have discovered a new variant of spyware that's targeting iOS and Android users as part of an international sextortion scam.

According to a blog post by researchers at cyber security firm Lookout, the spyware, called Goontact, has been found in multiple Asian countries and targets users of illicit sites and steals personal information stored on their mobile devices.

Researchers said the types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.

The spyware often disguises itself as secure messaging applications and can exfiltrate a wide range of data, such as device identifiers and phone number, contacts, SMS messages, photos on external storage, and location information.

While it is not presently known who is behind Goontact, it is the newest addition to a crime affiliate’s arsenal, rather than nation-state actors, said researchers.

This fraud begins when potential targets are lured into initiating a conversation on websites offering escort services. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation.

“In reality, the targets are communicating with Goontact operators. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain,” said researchers.

Based on investigations carried out by researchers, the campaign has been active since at least 2013. However, the Goontact malware family is novel and is still actively being developed.

“The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame,” researchers said.

While the Goontact surveillance apps described in this campaign are not available on Google Play or the Apple App Store, the duration, tactics, and breadth exhibited highlight the lengths to which malicious actors will go to deceive victims and bypass built-in protections.

“It’s no secret that mobile devices are a treasure trove for cyber criminals,” said Phil Hochmuth, programme vice president of Enterprise Mobility at IDC.

“As the use of mobile devices continues to increase, so does the maturity of iOS and Android cybercrime. Now more than ever, consumers must be proactive in avoiding compromise with iOS and Android threat actors whose main objective is to fleece them financially.” 

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Qualcomm and Mediatek flaws left millions of Android users at risk
Security

Qualcomm and Mediatek flaws left millions of Android users at risk

22 Apr 2022
Best smartphone 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best smartphone 2022: The top handsets from Apple, Samsung, Google and more

8 Apr 2022
Google will cull out-of-date Play store apps in bid to improve Android security
Google Android

Google will cull out-of-date Play store apps in bid to improve Android security

7 Apr 2022
Businesses on alert as mobile malware surges 500%
mobile security

Businesses on alert as mobile malware surges 500%

10 Mar 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022