An Extortion Campaign Recently Started Using a New Piece of Spyware


An extortion scheme targeting Chinese, Korean, and Japanese speakers recently began using a new piece of spyware, published on Wednesday by mobile security company Lookout.

The initiative focuses on infecting illegal sites, such as those selling escort services, with iOS and Android to steal personal details, possibly with the intention of blackmailing or extorting victims.

The spyware, called Goontact, usually masquerades as secure messaging software. It targets a wide variety of data for exfiltration after it has compromised a device, including device identifiers and phone numbers, contacts, SMS messages, external storage images, and location information.

“A treasure chest of personal data is laptops and smartphones. Private data such as addresses, images, messages and positions are stored on these computers. Entry to any of this knowledge helps cyber criminals like Goontact’s operators to conduct a profitable operation of blackmail, states Lookout.

In several Asian nations, the attacks harass consumers, including China, Japan, Korea, Thailand and Vietnam.

The victims are first drawn to places that presumably help them to engage with women, where they are persuaded to instal a smartphone app to communicate properly (bogus audio- or video-related issues are invoked).

The software is meant to steal the address book of the victim without actual features. To extort money from the target, the attackers then use this information.

Websites involved in these attacks have parallels in name, appearance, and targeting, and even used trademarks that were previously observed on domains used in a 2015 sextortion programme.

Since at least 2013, the Goontact initiative is thought to have been involved. However, the earliest Goontact sample found, with the malware still in active development, is dated November 2018.

Instead of nation-state players, we suspect this campaign is run by a crime partner. While any conclusive infrastructure ties are yet to be uncovered, we think it is extremely likely that Goontact is the newest addition to the arsenal of this threat actor. Most interestingly, this scam’s iOS part has not been reported on before, Lookout says.

From mere theft of a victim’s phone number and contact list, the iOS version of the spyware has grown to provide the ability to connect to a secondary command and control (C&C) server and display a designed message to the victim.

Lookout has finds that the iOS malware misuses the sideloading Apple enterprise provisioning scheme, as well as enterprise credentials that seem to have been affiliated with legitimate businesses (companies from various verticals in China and the United States), so that the malicious app can be spread outside the Apple App Store.

Many of the businesses found on the iOS App Store either have new or previous developer profiles and games. It is still unclear to us, however, whether these signing identities have actually been compromised, or whether they have been created by malware operators masquerading as members of the businesses in question, the security researchers say.

In addition to contact lists and the victim’s phone number, the more feature-rich Android version of Goontact will also exfiltrate SMS texts, images, and system locations.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.