Goontact, the new spyware that steals intimate photos to extort victims

A group of specialists has revealed the discovery of a new variant of surveillance and spying malware for iOS and Android devices. Identified as Goontact, the new spyware has the ability to collect all sorts of details about infected devices, including phone ID, contact list, SMS messages, photos and location data.

Goontact was first detected by researchers at mobile security firm Lookout, who mention that spyware is distributed through third-party websites that advertise messaging apps specially designed to hire escort services.

At the moment the activity of this spyware seems to be limited to countries such as South Korea, Japan and Chinese-speaking territories throughout Asia, the researchers mention.

The list of apps that contain Goontact is too long, so it’s not convenient to include it in this note. However, the following is a list of all websites that advertise any of the malicious apps:

La imagen tiene un atributo ALT vacío; su nombre de archivo es spyware16122020.jpg

This malware variant has not yet been detected in malicious apps available on the App Store or Play Store, although experts do not rule out cybercriminals trying to infiltrate official platforms with this spyware.

After being installed on the target device, Goontact begins to collect information to be sent to the hackers’ servers. Because of the language used in the management panels of the analyzed servers, experts believe this could be an operation deployed by Chinese cybercriminal groups.

Lookout specialist Apurva Kumar mentions that this operation is very similar to a sextorsion campaign detected a couple of years ago: “Our investigation is still ongoing, but we believe that the data collected in this campaign could be used to extort victims; hackers have a lot of confidential information.”

Experts notified Google and Apple of their finding so companies can implement the necessary measures before it’s too late: “Multiple apps will stop working as a result of a revocation of business certificates potentially associated with this campaign,” Kumar added.