Free lookout premium code lg v10 at&t11/26/2022 ![]() The operators of Goontact were able to obtain enterprise certificates apparently associated with legitimate businesses to sign their malware which was then distributed on sites mimicking App Store pages. ![]() These enterprise certificates can be generated from the Apple Developer console and can then be used to code sign apps using a signing identity tied to the company’s developer profile or TeamID. To be distributed outside the App Store, an IPA file must contain a mobile provisioning profile with an enterprise certificate. To successfully do this, Goontact abuses the Apple enterprise provisioning system. These sites contained links to a distribution manifest, which provides a download URL for the IPA. Goontact on iOS relies on the user side-loading an IPA file from a distribution site. The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame. However, the Goontact malware family is novel and is still actively being developed. Most notably, the iOS component of this scam has not been reported on before.īased on our research, the campaign has been active since at least 2013. While we have yet to uncover any definitive infrastructure links, we believe it is highly probable that Goontact is the newest addition to this threat actor's arsenal. We believe this campaign is operated by a crime affiliate, rather than nation state actors. The sites also used logos associated with domains that were part of a sextortion campaign reported by Trend Micro in 2015. We found that the websites associated with Goontact bear many similarities in naming convention, appearance and targeted geographic region. The mobile applications in question appears to have no real user functionality, except to steal the victim’s address book, which is then used by the attacker ultimately to extort the target for monetary gain. Targets are convinced to install (or sideload) a mobile application on some pretext, such as audio or video problems. In reality, the targets are communicating with Goontact operators. Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation. The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with women. Evidence on distribution sites also suggests that this operation is functional in China, Japan, Korea, Thailand and Vietnam. These sextortion scams are exploiting Chinese-, Japanese- and Korean-speaking people in multiple Asian countries. Access to all of this data enables cybercriminals like the operators of Goontact to run a successful extortion campaign. These devices store private data, such as contacts, photos, messages and location. Tablets and smartphones are a treasure trove of personal data. We found that Goontact, which often disguises itself as secure messaging applications, can exfiltrate a wide range of data, such as: The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail. The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. ![]() ![]() The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in Chinese speaking countries, Korea and Japan. Diane helped with the translation portion of this research. With contributions from Diane Wee, Innovation Strategist at Lookout. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |