Goontact: iOS and Android Malware

Key Findings

• Operated by an active crime group and continuously being developed.

• There are both iOS and Android components of this surveillanceware.

• Victims are lured in on illicit sites that act as middlemen to set up chats and dates with women.

‍

Background and Discovery Timeline

The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in China, Korea and Japan. The malware, named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used and the information they exfiltrate suggest that the ultimate goal is extortion or blackmail.

These sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people across multiple Asian countries. The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with sex workers. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised as the best forms of communication and the individual initiates a conversation. In reality, the targets are communicating with Goontact operators.

‍

Capabilities and Affected Parties

Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain. Additional data that can be exfiltrated includes:

- Device Identifiers  - Phone number - Contacts - SMS Messages - Photos on external storage - Location information