Goontact info-stealing spyware targets iOS and Android devices

Personal information targeting Goontact malware turns to Asian users, Kora, Japan, and Chinese speaking countries

Infected-applications spreading on various free sites, so then malicious code can exfiltrate victims' addresses lost and other personal info.

Malware-laced mobile applications were discovered targeting Android and iOS devices.^[1] Discovery shows that new malware named Goontact is spying on users.^[2] Particular infection has surveillance capabilities and currently can be found on various Android and iOS versions.

Mobile security firm Lookout discovered the malware that is distributed via third-party sites that promote free instant messaging programs. These applications are mainly used to access escort services. The target audience of such sites: Chinese speaking countries, Korea, Japan.

These mobile applications will Goontact spyware that are not found on official Apple or Google Play application stores. However, it is possible that some users download malicious programs and sideloading infected apps further.

We have notified both Google and Apple of this threat and are actively collaborating with them to protect all Android and iOS users from Goontact.

The spyware can particularly collect data from the infected device like phone identifiers, contact lists, SMS messages, photos, location information. Such details get sent back to C&C servers that malware operators control.^[3]

Spyware possibly used by extortionists for blackmailing

According to the official discovery report. Lookout states that Goontact operations resemble sextortion campaigns reported by Trend Micro in 2015.^[4] Security Intelligence team stated that there is no particular evidence, but engineers^[5] believe that the information collected with the help of these infected applications can be used to extort victims into paying the additional ransom.

Particular information like logos associated with domains that were a part of sextortion campaigns can indicate the relation with direct blackmail campaigns. Personal information collected from such sexual encounter arrangement services can get exposed to contacts, friends, and family. People can possibly fall for these extortion and blackmail messages, and transfer asked payments to avoid getting exposed to the public or their relatives. Financial gain is often the main goal of malicious actors.

New malware without distinct infrastructure links

One crucial fact about the Goontact spyware is that iOS components of the infection hasn't been reported or analyzed before. The campaign was possibly active since 2013, but the malware family is new and still in development. Researchers also note that the campaign is operated by a criminal affiliate, not a state-sponsored actor.

There are no particular infrastructure links that could resemble other malicious actors. Goontact is probably a new strain of mobile malware and the said group or a person's newest product. According to analysis and Lookout observations, this malware might evolve.

Goontact malware family is novel and is still actively being developed. The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame.

The distribution sites that spread Goontact mimick App Store pages. SItes and applications themselves have been updated multiple times per month, so these information-stealing functionalities might be the start of malicious activities.