Posted on December 16, 2020 at 2:31 PM
Security researchers at Lookout mobile security firm announced that new spyware called Goontract is targeting iOS and Android users in several Asian countries.
The Lookout Threat Intelligence team discovered this new wave of spyware, which mostly targets users of illicit sites.
Spyware campaign has been active since 2018
According to the researchers, the spyware is usually deployed to steal personal information from their iOS or Android devices. When the personal information is retrieved, the threat actors use it to extort their victims.
Based on the evidence, the sextortion scams are affecting Korean, Japanese, and Chinese speaking people.
Lookout also stated that Goontact may be operating in Vietnam as well as in Thailand. According to the researchers, the spyware campaign may have been active since 2018.
The Goontact spyware is capable of collecting certain personal information from the user’s phone, including location information, photos, SMS messages, contacts, as well as phone identifiers.
While the spyware has not been discovered on the official Google and Apple app stores, Lookout researchers said users could be downloading and side-downloading applications already infected by the Goontact spyware.
Data stolen from the apps is sent back to the servers under the control of the Goontact operators. Lookout also thinks the spyware campaign is owned and managed by Chinese-speaking threat actors.
Although the full details about the spyware operators are not known, Lookout believes that the threat actors are not acting for any state-backed hacking group but could be acting as independent individuals.
Mobile devices always a target for threat actors
Mobile devices are usually the targets of spyware operators because users store lots of private information on their phones. It makes it easier for cybercriminals to launch attacks and plant their spyware to steal personal information.
The scam typically starts when potential victims are deceived into initiating a conversation on sites that offer escort services.
However, the targets do not know they are conversing with the Goontact operators, who would later convince them to improve their user experience by installing mobile applications.
In reality, the fake mobile apps do not have any real-life functionality rather than to steal the personal information of the victim for sextortion purposes in the future.
Program Vice President of Enterprise Mobility at IDC Phil Hochmuth stated that threat actors always love attacking mobile devices, especially iOS and Android devices. They are easier to attack as users are more responsive to their attack patterns on mobile devices.
“It’s no secret that mobile devices are a treasure trove for cybercriminals,” Hochmuth said.
And with the number of mobile device users growing steadily, Android and iOS cybercrime is likely going to increase in the future, he reiterated.
As a result, users of mobile phones who are target must be proactive if they want to prevent or stop the attacks. He said with a stronger security approach, it will go a long way to reducing the number of information theft recorded on mobile devices.
Staff Security Engineer at Lookout Apurva Kumar pointed out that the sextortion campaign described by Trend Micro in 2018 is very similar to this present campaign on Android and iOS phones.
While there is no concrete link tying them together, Kumar said their operational methods look similar. Kumar said that the personal details stolen with the spyware could be used to extort victims or get them exposed to friends and families if the extortion plan fails.
Google and Apple have been informed
Lookout says it has informed Google and Apple about the threat and have been working with them to make sure the threat actors do not extort victims.
As a precautionary step, Apple revoked the enterprise certificate utilized in signing the app. As a result, the apps will no longer work on devices.
All the apps infested by the Gooncontact apps are too long and exhaustive, but the Lookout report has listed all the names.