Security researchers have found a new spyware in both iOS and Android that will collect contacts, phone identifiers, SMS messages, location information, and photos of infected victims.

According to a blog published by mobile security firm Lookout that detected the malware, which is being distributed through third-party websites that promotes free instant messaging apps committed to reach escort services. These sites targets audiences including Japan, Korea, and Chinese speaking countries.

Goontact spyware discovered targeting Android and iOS users

According to ZDNet, Lookout stated in its report that it discovered a malware, which has surveillance capabilities affecting Android and iOS users. This spyware called Goontact can collect from infected victims including contacts, phone identifiers, photos, SMS messages, and location information.

The malware has yet to reach the official Google Play Store and Apple App Store, but there indications of users who have been downloading applications that are infected by Goontact. The data that these apps collected are sent to online servers being controlled by Goontact operators.

Lookout Staff Security Intelligence Engineer Apurva Kumar told ZDNet that the Goontact operation is similar to the 2015 sextortion campaign defined by Trend Micro. Lookout believes Chinese-speaking threat actors manage Goontact based on the admin panels showing on these servers, although there is currently no tangible evidence.

Kumar believes the data collected from these apps could be used to threaten extort victims in the future by paying small ransoms by threatening victims to expose sexual encounters to contacts and friends. The Lookout report noted that the scam begins when potential victims, which are usually women, are contacted using one of the cybercriminals' hosted sites. These website indicate that using account IDs for messaging apps like Telegram or KakaoTalk to initiate conversations.

In an email sent to ZDNet, Kumar have notified both Apple and Google of this threat and they are already cooperating with Lookout to protect all iOS and Android users from Goontact.

Lookout security engineer noted that Apple revoked the enterprise certificates, which are used to sign the apps, so they will already stop working on their devices. Meanwhile, Google's Play Protect will notify users if a Goontact app are installed on their Android device.

Read also: Hackers Sell Security Systems of an International Airport on the Dark Web for $10

Goontact uses mobile provisioning profiles of legitimate companies

Goontact has infected too many apps, and the complete list can be found at the end of the Lookout report. In fact, Lookout discovered that these cybercriminal use legitimate enterprise mobile provisioning profiles. The list includes companies that are registered in the United States and in China that spreads across different sectors like the credit unions, railroad as well as power generation companies. 

Meanwhile, Lookout does not believe this campaign is not operated by nation state actors, but by a crime group. However, the security firm would need to uncover definitive infrastructure links to confirm their theory. "We believe it is highly probable that Goontact is the newest addition to this threat actor's arsenal," Lookout wrote in its report adding that the iOS component of this scam campaign was not yet reported before. 

Related article: Researchers Use Machine-Learning Method to Improve Bloom Filter for Fake News Detection on Social Media 

This is owned by Tech Times

Written by CJ Robles

ⓒ 2021 All rights reserved. Do not reproduce without permission.