Sextortionist Campaign Targets iOS, Android Users with New Spyware

  • Goontact lures consumers of illicit web-sites by Telegram and other safe messaging applications and steals their information for long run fraudulent use.

    New adware is targeting iOS and Android frequenters of grownup mobile sites by posing as a protected messaging application in yet an additional twist on sextortionist cons.

    The spy ware, dubbed Goontact, targets people of escort-provider web pages and other intercourse-oriented services – notably in Chinese-speaking nations, Korea and Japan, according to research revealed by Lookout Threat Intelligence on Wednesday.

    The ploy and malware can in the end be utilised to exfiltrate info from targets. Details siphoned from equipment contain phone number, contact record, SMS messages, pictures and spot info. The character of the facts sweep and the context of the assaults “suggests that the supreme aim is extortion or blackmail,” scientists Robert Nickle, Apurva Kumar and Justin Albrecht noticed in a report published online Wednesday.

    Simply click to sign-up.

    Sextortionist ripoffs, in which threat actors claim they have online video or other information that backlinks a likely victim to illicit exercise that could threaten a marriage, position or other major partnership or desire, are almost nothing new. Nevertheless, attackers commonly use email to provide these type of frauds, utilizing a assortment of tactics to get previous email defenses and trick victims.

    The new campaign uses a distinctive and evolving tack. It lures a likely target by inviting them by way of an advert on a hosted illicit website to join with girls for free by working with KakaoTalk or Telegram safe messaging apps. If a person takes the bait and initiates a conversation, it is Goontact operators with whom the human being makes get in touch with, scientists mentioned.

    “Targets are persuaded to install (or sideload) a cellular application on some pretext, this kind of as audio or movie issues,” they wrote. “The cellular purposes in dilemma appears to have no authentic person performance, other than to steal the victim’s address reserve, which is then made use of by the attacker eventually to extort the concentrate on for monetary achieve.”

    The particulars of the attack are distinct depending on if a target is working with an iOS or Android unit. The iOS attacks have considerably less capability to steal knowledge, lifting only the victim’s phone quantity and call record, researchers mentioned. In some later iterations of the spyware, it connects to a secondary command-and-control (C2) server and shows a concept tailor-made to the consumer in advance of exiting the app.

    The Android-primarily based attack has significantly extra danger functionality, researchers mentioned. “In addition to make contact with stealing, these samples contain a lot more superior functionality these as exfiltration of SMS messages, photographs and locale,” researchers wrote.

    The Lookout staff thinks that the data stolen in the marketing campaign will be used to blackmail or defraud victims, although so significantly they claimed they have observed no proof proving this situation.

    The marketing campaign alone bears resemblance to just one noted by scientists in 2015, and Lookout researchers suspect it is been close to and operated by a crime affiliate instead than country-state actors due to the fact 2013.

    “However, the Goontact malware loved ones is novel and is nonetheless actively being made,” with the earliest sample obtaining been noticed in November 2018, researchers reported.

    Lookout scientists have contacted Google and Apple about Goontact as very well as educated Danger Advisory Products and services customers with further intelligence on the spy ware and other threats.

    Place Ransomware on the Operate: Save your location for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware entire world and how to struggle back.

    Get the most up-to-date from John (Austin) Merritt, Cyber Risk Intelligence Analyst at Electronic Shadows Limor Kessem, Govt Security Advisor, IBM Security and Allie Mellen, a security strategist in the Business of the CSO at Cybereason, on new varieties of attacks. Topics will consist of the most risky ransomware threat actors, their evolving TTPs and what your organization demands to do to get ahead of the subsequent, unavoidable ransomware attack. Sign-up here for the Wed., Dec. 16 for this LIVE webinar.