New spyware has been detected that targets iOS and Android users who patronize illicit sites that typically offer escort services.
The malware, named Goontact by the Lookout researchers who discovered it, targets heterosexual users in China, Korea, Japan, Thailand, and Vietnam, stealing personal information from their mobile devices.
Researchers noted: “The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.”
Goontact frequently disguises itself as secure messaging applications. The malware has been observed exfiltrating a wide range of data, including device identifiers and phone number, contacts, SMS messages, location information, and photos on external storage.
Describing how users fall victim to the spyware, researchers wrote: “The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with women.
“Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation. In reality, the targets are communicating with Goontact operators.”
By pretending that they are experiencing audio or video problems, the operators persuade their targets to install or sideload a mobile application that has no real user functionality beyond stealing the victim’s address book.
Researchers believe that the threat campaign is being operated by “a crime affiliate” since sites associated with the spyware are similar in appearance, naming convention, and targeted geographic region.
The sites use logos associated with domains caught up in a previous sextortion campaign exposed in 2015 by Trend Micro.
Goontact appears to be a recent addition to a campaign that has been active since at least 2013.
“The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame,” wrote researchers.
The enterprise mobile provisioning profiles used by Goontact all reference apparently legitimate companies, including Linkplay Tech Inc and Jinhua Changfeng Information Technology Co.
Researchers said that it was unclear whether these signing identities have been compromised, or if they were created by malware operators spoofing representatives of the companies.