Sextortionist Campaign Targets iOS, Android Users with New Spyware

Goontact lures users of illicit sites through Telegram and other secure messaging apps and steals their information for future fraudulent use.

New spyware is targeting iOS and Android frequenters of adult mobile sites by posing as a secure messaging application in yet another twist on sextortionist scams.

The spyware, dubbed Goontact, targets users of escort-service sites and other sex-oriented services – particularly in Chinese-speaking countries, Korea and Japan, according to research published by Lookout Threat Intelligence on Wednesday.

The ploy and malware can ultimately be used to exfiltrate data from targets. Data siphoned from devices include phone number, contact list, SMS messages, photos and location information. The nature of the data sweep and the context of the attacks “suggests that the ultimate goal is extortion or blackmail,” researchers Robert Nickle, Apurva Kumar and Justin Albrecht observed in a report published online Wednesday.

Threatpost Webinar Promo Bug Bounty

Click to register.

Sextortionist scams, in which threat actors claim they have video or other information that links a potential victim to illicit activity that could threaten a marriage, job or other significant relationship or interest, are nothing new. However, attackers typically use email to deliver these type of scams, using a range of tactics to get past email defenses and trick victims.

The new campaign uses a different and evolving tack. It lures a potential target by inviting them through an ad on a hosted illicit site to connect with women for free by using KakaoTalk or Telegram secure messaging apps. If someone takes the bait and initiates a conversation, it is Goontact operators with whom the person makes contact, researchers said.

“Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems,” they wrote. “The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain.”

The specifics of the attack are different depending on if a victim is using an iOS or Android device. The iOS attacks have less capability to steal data, lifting only the victim’s phone number and contact list, researchers said. In some later iterations of the spyware, it connects to a secondary command-and-control (C2) server and displays a message tailored to the user before exiting the app.

The Android-based attack has significantly more threat capability, researchers said. “In addition to contact stealing, these samples contain more advanced functionality such as exfiltration of SMS messages, photos and location,” researchers wrote.

The Lookout team believes that the information stolen in the campaign will be used to blackmail or defraud victims, although so far they said they have seen no evidence proving this scenario.

The campaign itself bears resemblance to one reported by researchers in 2015, and Lookout researchers suspect it’s been around and operated by a crime affiliate rather than nation-state actors since 2013.

“However, the Goontact malware family is novel and is still actively being developed,” with the earliest sample having been observed in November 2018, researchers said.

Lookout researchers have contacted Google and Apple about Goontact as well as informed Threat Advisory Services customers with additional intelligence on the spyware and other threats.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles