Lookout, Inc. announced the discovery of Goontact, a new spyware targeting iOS and Android users in multiple Asian countries. Uncovered by the Lookout Threat Intelligence team, Goontact targets users of illicit sites and steals personal information stored on their mobile devices. Evidence shows these sextortion scams are affecting Chinese-, Japanese- and Korean-speaking people. Goontact may also be operating in Thailand and Vietnam. Lookout discovered evidence the campaign may have been active since 2018 and is still active today. 

The goal of adversaries is likely extortion or blackmail, based on the information gathered and the quality of the sites that distribute these malicious apps. The bounty of information Goontact can exfiltrate includes device identifiers and phone numbers, contact information, SMS messages, photos on external storage and even location information. The culprits spearheading Goontact are still unknown but based on the Lookout research, it is highly probable that Goontact is the newest addition to a crime affiliate’s arsenal, rather than nation-state actors.

The private data individuals keep on mobile devices both makes it easier for cybercriminals to socially engineer successful attacks and, in the case of Goontact, run successful extortion campaigns. Acting on human impulse, this scam begins when potential targets are lured into initiating a conversation on websites offering escort services. In reality the targets communicate with Goontact operators who later convince them to install mobile applications meant to enhance the user experience. The mobile applications in question have no real user functionality, except to steal the victim’s personal data, that is then used by the attacker ultimately to extort money from the target. 

“It’s no secret that mobile devices are a treasure trove for cybercriminals,” said Phil Hochmuth, Program Vice President of Enterprise Mobility at IDC. “As the use of mobile devices continues to increase, so does the maturity of iOS and Android cybercrime. Now more than ever, consumers must be proactive in avoiding compromise with iOS and Android threat actors whose main objective is to fleece them financially.”  

While the Goontact surveillance apps described in this campaign are not available on Google Play or the iOS App Store, the duration, tactics and breadth exhibited highlight the lengths to which malicious actors will go in order to deceive victims and bypass built-in protections. 

To stay up to date on Lookout’s latest discoveries, please visit their Threat Advisory Services.