| Researchers December 16, 2020


December 16, 2020

Lookout Discovers New Spyware Used by Sextortionists to Blackmail iOS and Android Users

By Robert Nickle, Apurva Kumar, Justin Albrecht

Lookout Discovers New Spyware Used by Sextortionists to Blackmail iOS and Android Users


With contributions from Diane Wee, Innovation Strategist at Lookout. Diane helped with the translation portion of this research.

The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in Chinese speaking countries, Korea and Japan. The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.

We found that Goontact, which often disguises itself as secure messaging applications, can exfiltrate a wide range of data, such as: 

  • Device identifiers and phone number.
  • Contacts.
  • SMS messages.
  • Photos on external storage.
  • Location information.

Tablets and smartphones are a treasure trove of personal data. These devices store private data, such as contacts, photos, messages and location. Access to all of this data enables cybercriminals like the operators of Goontact to run a successful extortion campaign.

Malicious Functionality and Impact

These sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people in multiple Asian countries. Evidence on distribution sites also suggests that this operation is functional in China, Japan, Korea, Thailand and Vietnam.

The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with women. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation.

Lure site screenshots for Goontact that invite visitors to contact a KakaoTalk ID or a Telegram ID to access the services being advertised.

In reality, the targets are communicating with Goontact operators. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain. 

Potential Attribution

We found that the websites associated with Goontact bear many similarities in naming convention, appearance and targeted geographic region. The sites also used logos associated with domains that were part of a sextortion campaign reported by Trend Micro in 2015.1

We believe this campaign is operated by a crime affiliate, rather than nation state actors. While we have yet to uncover any definitive infrastructure links, we believe it is highly probable that Goontact is the newest addition to this threat actor's arsenal. Most notably, the iOS component of this scam has not been reported on before. 

Based on our research, the campaign has been active since at least 2013. However, the Goontact malware family is novel and is still actively being developed. The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame.

Goontact iOS

Recent active Goontact distribution sites mimicking App Store pages. The servers used for distribution of the malware also host a login panel indicating that they serve as command-and-control (C2) servers. The apps are under continuous development and have been updated multiple times per month.

Early samples of the iOS version of Goontact show the primary functionality is to steal a victim’s phone number and contact list. Later iterations incorporated functionality to communicate to a secondary command-and-control (C2) server and display a message to the user that has been tailored by the attacker, before exiting the app.

Code that exfiltrates a victim’s address list from an infected device.

Signing Identities

Goontact on iOS relies on the user side-loading an IPA file from a distribution site. These sites contained links to a distribution manifest, which provides a download URL for the IPA. To successfully do this, Goontact abuses the Apple enterprise provisioning system. 

To be distributed outside the App Store, an IPA file must contain a mobile provisioning profile with an enterprise certificate. These enterprise certificates can be generated from the Apple Developer console and can then be used to code sign apps using a signing identity tied to the company’s developer profile or TeamID. The operators of Goontact were able to obtain enterprise certificates apparently associated with legitimate businesses to sign their malware which was then distributed on sites mimicking App Store pages.

The Apple Developer Enterprise program is intended to permit organizations to distribute proprietary, in-house apps to their employees without needing to use the iOS App Store. A business can obtain access to this program only provided they meet requirements set out by Apple

This is a similar tactic used by other iOS threats we have observed such as eSurvAgent. It requires the user to download the app through a browser, install it, navigate to their Settings app and then explicitly trust the signing identity used to sign the IPA file. Only after a verification process of the signing identity with Apple’s servers, is the app able to run on an iOS device.

Screenshots of a live distribution site providing instructions on how to install the iOS version of Goontact. In the rightmost image above, the name of the company whose signing identity was used to create the mobile provisioning profile for the app can be seen.

The enterprise mobile provisioning profiles used by Goontact all reference apparently legitimate companies. The list, as shown below, includes companies registered in China and in the United States across various sectors such as power generation companies, credit unions, and railroad companies. 

TeamID

AKSVA57833
5YMLXQ5HEE
VWEN6QTM5A
GCDHET33K9
KRDUAN5QNS
7TLJH7GP4B
5383H5PWBS
229BL7A3HR
7RZF8699DK

TeamName (Company Name)

Jinhua Changfeng Information Technology Co., Ltd.
Qingdao Haier Technology Co., Ltd.
Linkplay Tech Inc.
Norfolk Southern Corporation
Dalian Rural Commercial Bank Co., Ltd.
Daikin Airconditioning (Hong Kong) Ltd
AbleSky Inc.
GUANGZHOU INSOONTO NETPAY TECHNOLOGY CO.; LTD.
Guangzhou Jianxin Automation Technology Co.,Ltd.

Most of the companies observed either have current or past developer profiles and applications on the iOS App Store. However, It is still unclear to us whether these signing identities have truly been compromised, or if they were created by the malware operators masquerading as representatives of the companies in question.

During our research we observed multiple signing identities being revoked. In those cases, new malware samples using a new identity immediately appeared on the distribution sites. We sometimes observed this occurring multiple times a month,  indicating the actors behind Goontact have little difficulty acquiring access to additional accounts.

Goontact Android

The Android component of Goontact is much more feature-rich. In addition to contact stealing, these samples contain more advanced functionality such as exfiltration of SMS messages, photos and location.

 Icons of Goontact Android samples displaying the possible lures used in the campaign to entice individuals to download and install the malware samples. 

Infrastructure

Most command-and-control (C2) domains leveraged by Goontact are sites also hosting the iOS variant of the malware. Almost all active malware C2s have login panels on non-standard ports such as 8085 and 9905.

All live C2 panels are in Chinese. This evidence, along with names of the companies being used for developer profiles suggest that the developers and operators of the campaign are Chinese speakers.

The path component of the C2 URL in current samples commonly includes “/JYSystem/” on both iOS and Android, which is a reference to an open source HTML template available on Github.2 After exploring the infrastructure during our research, we discovered dozens of active sites with the same patterns hosting numerous IPA files. A number of them are listed in our screenshot below but new domains are registered daily. These domains were linked to each other using shared IP addresses and SSL certificates.

Domains generally appear to include the names of secure messaging apps in their names and the campaign prefers the use of .top and .vip TLDs.

Lure sites are middleman sites that offer the option of setting up dates and chats with women after paying a session fee. Recent lure sites include links to the malicious applications and provide detailed installation instructions to the victims. The malicious APK files have been observed to be hosted on the lure sites, but the IPA files are all hosted on separate distribution sites as described above.

A lure site (red-v10[.]com) in Korean links back to Goontact samples hosted on one of the distribution sites (redvios[.]com) along with instructions on how to install it. Sites are sensitive to User-Agent headers in order to display an application appropriate for the device of the user. 

While the Goontact surveillance apps described in this campaign are not available on Google Play or the iOS App Store, the duration, breadth and tactics exhibited highlight the lengths malicious actors will go to deceive victims and bypass built-in protections. Lookout secures consumers and enterprise users from Goontact. On Android, all Lookout users are protected, whereas on iOS, Lookout for Work users and Lookout Premium Plus subscribers are protected.

Lookout Threat Advisory Services customers have already been notified with additional intelligence on this and other threats. Take a look at our Threat Advisory Services page to learn more.


https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-the-far-east.pdf

https://github.com/cnloli/JYSystem

Indicators of Compromise

Domains

redvios[.]com
v-talk[.]top
v-talk[.]vip
ladysizi[.]top
mmbox[.]top
oncamera[.]top
oncast[.]top
mimibox[.]top
voicecontrol[.]top
signaltalk[.]top
oncamera[.]vip
dalbam[.]vip

mimimsg[.]net
signal-live[.]vip
tele-gram[.]vip
vtalk[.]vip
a-video[.]vip
livetalk[.]vip
livetalk[.]top
download-file[.]top
grd77[.]cn
mimicwt[.]net
super-voice[.]vip

mimi18s[.]top
momomsg[.]top
live-live[.]vip
zerobyte[.]top
zerobt[.]net
w-video[.]vip
ser-chat[.]com
tocast[.]vip
videosound[.]vip
twi-tter[.]vip
my-player[.]vip
voicesupport[.]vip

SHA1

a515e13e375b6f2b466e8b2715c924266e15f030
2a9234bd53efff836f5a1b13820e96b0f72376aa
1a0b1450958833125f8df09ca02ade26fd2f7fe5
5c5f2c75a12a7f24a6a0bf9323339b048b4ee4c9
fa1a97281f42fd9e47c698d49f817456c385dbed
7ae8420eeaed7fe3d4ae3e3e4d5fd36cb548e252
42ef90e6b780535ca9c5c8ebb579f67fde10aed0
2c09943657faa51f2ad04a13526dd15a532db419
656442ef12a4387f03a82b124e78856e52011990
17dc78091721d0c5fdd6bc43e895ae41dce38843
29459ac3115bb4544ac19bd4153e60a9568f7749
70da86cebe0a83b5a0a026c92319bdd6ec176302
1e237e0e5154e3339d4cf9411d9beccc8145318d
4b44850d9d4bbce5b53c89e5a0b4c595717167c3
107eb56cdfa573f75573e9d779184efcc9d99fae
2865bf9187f42f4e9a6647680f1d62d90102d735
514508dc681f514cd1bbb549704df4494f931dcb
c90bbe81354eb15e2a7d744bc0d4c1f2a10e252c
d9a4e88538c5b9b571f8c8954c29332d73135695
b1d41ce7c25af9cd06b66827360346f5995bd4b6
09567f7e5ad96fd8d62495dccc65ac008ab8ea4a
a371c84bc31d7acff01a8a19407d09390b8f6ac2
26e9429f32f658e9b7fda03ba432a7bdd3931ae3
f113e86f3ff4ef4d2530344047dd442ba3d5fdcc
bae146f1338fab6d8171a7265a3d9b505ab684ec
2d07a13dbb81c85771c21e51b8461f6226419036
c8101f36856da0c98bc6a0cdb2441fe271ffcc66
72881676401a4aa29bd8a256ff642e168f3ba789
f897c880715f072e265f834ef60755985028dec1
8dfac901f7bd31a84469ecf72f8534c590dc1ca2
1a75700ceef9601044b7bbabcd0c140354bf9962
a6a81aa87fe82096d58937072dddc4dc00e1b707
4e735d043fac23f08ccfee8cd23adb0eef1da4ed
578d1f6be9c18c5ec4bc18277adc0dd85daf5529
214d9116af4f67c9721af2e48e3b53935ca6fb36
1816960070779a929a196678fd3efd149da8d3e2
75b06fb18f9baaa6e4946200b026613801039dc7
1222632a75b2173a630944a3f0c8de0b8ba16fa9
034bc59cf7220ba38513c5109412d11f90d27b6c
5c5d1fb9a1a900a49af730e9de6d421e9527fa91
d9c01d9d097cb78de883526fd43bbab23d14e083
08342041afde750e640ef51075568f8d8bdea078
f4eb37c2f7280fb1802230be772ac7ee4fc6f288
5f9d342d51d0565eeff42eed7c73540454d8a2cc
86ec7307ea7b74f696533c56c5bc60636e3f701d
5fa63b4e45db380475c9f836efe8e899d3d24073
de1dfc1593b1d139c48cda204e94e2061b2d9171
57a34a15fb939ddac60514a3ca5eef0a6bbb6844
01a1b2b7e7222125a29d6667fe456f7ea54e16e5
15e41e8aee06bb2e91148e51a4aac259d201a62c
da9874a86d76c4bdf59eb5c04fb3383dbd3cfdf5
f958be18bd45ea081a389bdaa6e7bec6df06158a
36af9c25a64805f1e6dfa8c57b19f9209dacb33a
522285bbb8f772a1e14c5208fabf4df38e6cbd8d
c9d3ad11cf635a866feb3aaa257474559298d292
691387fb96bee12c9682bc8f30214a663f25f44b
e80494859b11915017d5bea161160467110af554
81849a70778485786a5344ce6b42d106804eec3b
01934d389bd432ed82b3975276ecb9506d9dfb31
e84c675d7c30006f89333e97bbc4db9b0fd4ad53
16fd5be703a416c39bb18edff06637fef42fe912
a09cbb671d33487b13e8c66264654bcb2d7fd985
81801ee0c9fc4eeb128b59d1ee3151b013c85000
e03c12cde59ec9af95d4dce7df64a40a04222d91
7d035edc6ee8bde0f1c3a6c837a5bc76e6181b5c
7049a2b4be24375a0c829ec9afac845fb7b53fd1
ad971e0456483841261fd3bcd678d9c50f2c9ace
89e1a0122ab1094ab1767f058041c893bfa76011
5fbaef82614307bb0d1bd55ae9f455c096f7b203
86118a86c61178451564494ada015fc6f4f72ac4
9c1eeb1e47e2ca87daee3e52fe954a2ef035d693
b41eb2a6e13795af412a4c1af34fd17e9d4f39f4
611769cb7ee62e157d501a0a5f6a90550f3fb9a8
e184f8b44d386dc7f47a8134ff8a8a817333c592
b48ad2807fb21cf4f7f1c6764cd589aa7f2d2128
0f779956f066b03f77b44bc3973b62150e07a78f
cb3f592a664fadcc5adc8dbd80a4331b9be2f524
e1294bf1e31913dad5ab545987f6a70cde1fffaf
b782b0261f6a5b47efa26ea5aead615ab9ee1f5c
7cf9a57e0330760848ad3fdf820f8f1699deea33
9370642bdabcf6ccf020574bdc673a0a19405024
167e15f9ac27df69d9e5533559b3b34c2396495e
5f20a02aa0a59824f69e3527d26c0fcbc65dc288
fb818da6de6f7434636196d6357525fbf3ca8262
5ae65ab4c35a080b1541f966f2965828e1bc151e
613b90b3f0db271e6f7f92bdbcf3b03747e97161
c766251844dceedf65d235696b81b5f5ea3d77a8
029cee8238477198ab4133478bd2ba51ae937073
6f94b680989edc3bd227440023ad4557f04680b9
2f69024df6d0a2ace8d0e3534a9cab68ba9d81fa
a287c2498098214871a6a2cff467c5ccc7cdbb43
0ea6491ada324637163e2afda774598e829e51e2
f728d4e1e53d10b7d643354ee67e93005b32be58
21d83bc3153b255627d077d6368dd0b728178eaa
3a0b362962bd0a486baef9c33f424ce732012182
8fe73b7337b39ba700d3bd072e537a70c6b93e4b
33bcb634d5dc38850a5e2b2ba9ccd78fb4778f4c
cb768e4483c1753a28dd13a6e8c60e39878cc862
3ad2bc1775b63262becdec759b1ebfde054a0da6
cd12dde56746c83c48944b10de0e9c582104518e
01cd53eebbba6cdcb9b4f0e971bd301d963bbafb
7c29dc5bccb6d933e8c633b707d4a07be7479bc8

BundleID/PackageName

com.ate3982st.u2splodioudadcontact
con.xhct945.xhch
com.axte3982st.u2splodioudadcontact
com.ate3982st.u2splodioudadcontact
com.ate3982st.u2splodioudadcontact
com.kp3982st.usplodioudadcontact
com.llt2e3982st.usplodioudadcontacu
com.te3999982st.usplodioudadcontact
com.te3982st.usplodioudadcontact
com.tle3982st.usplodioudadcontact
com.tle3982st.usplodioudadcontact
com.t2edddiw3982st.usplodioudadcontacu
com.tae39b82st.usplodioudadcontact
com.aodye3982st.usplodioudadcontacu
com.body3982st.usplodioudadcontact
com.ae3982st.usplodioudadcontact
com.ts2e31982st.usplodioudadcontacu
com.t2e3982d3st.usplodioudadcontacu
com.t1e3982st.usplodioudadcontact
com.test.uploadcontact
com.tes1t.uploadcontacu
com.t2e3982st.usplodioudadcontacu
com.te23s1t.up3lo5adcontacv
com.test.uploadcontact
com.red1.uploadcontacu
com.test.uploadcontact
com.tewt.udjsu
com.tew3t.udjsv
com.tccpt.idyusui
com.myit.my
com.meitu.diudiu
com.tc.AVideo
com.test.uploadcontact
com.test.myIT
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontact
com.test.uploadcontacu
com.test.uploadcontact
com.test.uploadcontact
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.txl.ry3
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.txl.ry3
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.txl.ry3
com.txl.ry3
com.apps.agent37
com.apps.agent37
com.txl.ry3
com.apps.agent37
com.apps.agent37
com.apps.agent37
com.apps.agent37

Version

3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.58
3.48
3.48
3.58
3.48
3.48
3.48
3.48
3.48
3.48
3.28
3.28
3.28
3.29
3.28
3.28
3.28
3.28
3.28
2.2
2.2
2.2
2.2
2.2
2.2
2.2
2.2
1.8
2
1.8
1.8
1.8
2.2
2.2
1.8
1.8
1.8
2.2
2.2
2.2
1.8
2.2
2.2
2.2
2
2
1.8
1.5
1.5
1.5
1.5
1.5
1.5
1.6
1.5
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0

Find out how you can secure your smartphones and tablets today

Request A Demo call_made

Free Trial call_made

Contact Sales call_made


Author

Robert Nickle,
Staff Security Intelligence Engineer


Author

Apurva Kumar,
Staff Security Intelligence Engineer


Author

Justin Albrecht,
Professional Services Engineer