Sextortion campaign uses Goontact spyware to target Android and iOS users

Pierluigi Paganini December 16, 2020

Security experts spotted a new malware strain, named Goontact, that allows its operators to spy on both Android and iOS users.

Security researchers from Lookout have discovered new spyware, dubbed Goontcat, that could target both Android and iOS users.

Goontact implement common spyware features, including the ability to gather data from the infected devices and gather system info.

The malware allows operators to retrieve phone identifiers and steal contacts, SMS messages, photos, and even location data.

Goontact is currently distributed via third-party sites promoting free instant messaging apps for escort services for users in Chinese speaking countries, Korea and Japan. The spyware is likely used as part of a sextortion campaign.

“The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device.” reads the report published by Lookout. “The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.”

Potential victims are lured to one of the hosted sites where they are invited to connect with women. These sites advertise account IDs for secure messaging apps such as KakaoTalk or Telegram that could allow to communicate with the escorts.


In reality, the victims communicated with Goontact operators that attempt to trick them into installing (or sideload) a mobile application that steals the victim’s address book.

“Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems.” continues the report. “The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain.”

The analysis of admin panels of these servers revealed that the Goontact operators are Chinese-speaking individuals.

Experts pointed out that websites associated with Goontact campaign have many similarities in naming convention, appearance, and targeted geographic region with a sextortion campaign reported by Trend Micro in 2015

The campaign has been active since at least 2013, but the Goontact malware samples were first observed by Lookout in November 2018.

“While the Goontact surveillance apps described in this campaign are not available on Google Play or the iOS App Store, the duration, breadth and tactics exhibited highlight the lengths malicious actors will go to deceive victims and bypass built-in protections.” conclude the experts.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Goontact)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment