Security researchers have identified a new strain of malware that is currently available in both Android and iOS models, with spying and surveillance capabilities, also known as spyware. Called Goontact, this malware has the potential to collect data such as phone identifiers, addresses, SMS messages, images, and location information from infected victims. The Goontact malware, found by mobile security company Lookout, is currently distributed via third-party sites that promote free instant messaging apps dedicated to accessing escort services. Lookout said in a study shared today with ZDNet that the target audience of these sites tends to be limited at the moment to Chinese speaking countries, Korea and Japan. While the malware has yet to hit official app stores for Apple and Google, there are signs that Goontact-infected apps are being downloaded and side-loaded by users.
Under the supervision of Goontact operators, data obtained from these apps is sent back to online servers. Lookout assumes that the Goontact operation is most likely controlled by Chinese-speaking threat actors, based on the language used for these servers’ admin panels.
LINKS SUGGEST CONNECTION TO PAST SEXTORTION CAMPAIGN
Although there is no tangible evidence at the moment, Kumar believes that data collected through these apps could later be used to extort victims into paying small ransoms or have their attempts to arrange sexual encounters exposed to friends and contacts.
“We have notified both Google and Apple of this threat and are actively collaborating with them to protect all Android and iOS users from Goontact,” Kumar told ZDNet in an email over the weekend.
“Apple has revoked the enterprise certificates used to sign the apps and, as a result, the apps will stop working on devices,” the Lookout security engineer added.
“Play Protect will notify a user if any Goontact Android samples are installed on their device.”
The names of all Goontact-infected apps is pretty exhaustive and is too long to list here, but can be found at the end of this Lookout report, in case users want to check and see if they’ve downloaded and installed any of the apps. The sites that usually peddled Goontact-infected apps are listed below.