Goontact spyware lures iOS and Android users with obscene content

by Emma Davis
August 11, 2023
Goontact lures with obscene content
Written by Emma Davis

Lookout experts spoke about the Goontact spyware, which lures Android and iOS users with an obscene content, stealing and then using their personal data for blackmail.

Currently, the malware spreads through third-party sites and is most often disguised as special messengers to communicate with escort service workers.

Moreover, the target audience of these resources is limited to Chinese-speaking countries, as well as Korea and Japan. The researchers note that, judging by the language used in the admin panels on the attackers’ servers, Goontact is controlled by criminals who speak Chinese.

The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with the women. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems.told Lookout researchers.

Once infiltrated on the user’s device, Goontact-infected applications steal victim’s personal information, including photos, SMS messages, contact lists, device IDs and phone numbers, and so on.

The company says that overall, Goontact’s activity is very similar to another malicious campaign, also aimed at data theft, described by Trend Micro back in 2015.

Lookout analysts believe that the data collected with the help of malicious applications can later be used to extort small ransoms from victims, otherwise the attackers threaten to disclose the victim’s sexual contacts to his friends and acquaintances.

We have notified Google and Apple about this threat and are actively working with them to protect Android and iOS users from Goontact. Apple has already revoked the certificates that used to sign applications, and now the applications will stop working on the company’s devices. Play Protect will notify users if any version of Android Goontact is installed on their devices.experts say.

A complete list of all Goontact infected applications and indicators of compromise can be found on the company’s blog.

Let me remind you that I also wrote about the fact that Sextortion ransomware writes letters in foreign languages to bypass filters.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending