GoldFactory Expands GoldPickaxe Malware Operations

by ·

Cybercriminals have commenced targeting iPhone owners with malicious software designed to steal 3D facial scans, facilitating unauthorized access to bank accounts.

This was disclosed by Group-IB, a cybersecurity firm, which uncovered that a Chinese hacking group named GoldFactory has been distributing infected smartphone applications since June 2023. The latest iteration of their malicious program, GoldPickaxe, emerged in October.

GoldPickaxe targets Android devices, while GoldPickaxe.iOS is aimed at iPhones. The fraudsters deceive victims into undergoing biometric identification procedures. The acquired 3D scans are subsequently utilized to circumvent security measures in the official banking applications of Vietnam and Thailand.

The iOS version of the Trojan currently attacks only Thailand, disguising itself as an app for receiving digital pensions from the government. However, there are suspicions that the malicious software has also penetrated Vietnam. Recent reports from there have detailed similar incidents involving the theft of tens of thousands of dollars.

According to Group-IB experts, GoldPickaxe.iOS is the first discovered Trojan for iPhone that simultaneously collects biometric data, and user documents, intercepts SMS, and uses infected devices as proxy servers. The Android version possesses even more extensive functionality, owing to the platform’s fewer restrictions.

Although malicious software for Android is more widespread due to the possibility of installing apps from unofficial sources, the Trojan for the closed iOS ecosystem was particularly surprising for cybersecurity specialists.

For Android, malefactors simply distributed the disguised GoldPickaxe through a fake Google Play store. To load GoldPickaxe.iOS onto an iPhone, more sophisticated social engineering methods were required.

Initially, hackers exploited Apple’s beta platform, TestFlight. When this loophole was closed, the fraudsters devised another scheme. They convinced victims to install an MDM app for remote management, using various ploys. This allowed them to stealthily deliver malware to infected devices. The first contact with victims was usually made through the popular Asian messenger LINE.

Having accessed the 3D facial scans, the hackers employed generative AI technologies to create realistic digital models. These models enabled them to bypass biometric security in official banking applications and gain access to user accounts. Additionally, the fraudsters utilized stolen personal data and intercepted SMS for remote control over the victims’ finances.

Tags: