Close up of face showing mobile trojan malware steal facial data

GoldPickaxe Mobile Trojan Malware Captures Facial Data, Intercepts Text Messages to Access Financial Accounts

A new type of trojan malware uncovered by cybersecurity firm Group-IB is the first of its kind to capture facial data for the purposes of breaking into bank accounts.

GoldPickaxe is an evolution of an existing suite of banking malware called GoldDigger aimed at iOS and Android devices. Distribution of it is limited at this point, however, as victims have to be lured into what Group-IB describes as a “multi-stage social engineering scheme” to allow privileged access to their devices.

New trojan malware first to capture facial biometrics for deepfake creation

The story begins with the existing GoldDigger trojan malware, distributed by a threat actor referred to as GoldFactory, which was uncovered by Group-IB in October 2023. That trojan was discovered targeting about 50 financial services businesses in Vietnam, and would intercept SMS messages and exfiltrate identity documents for the purpose of capturing banking credentials. The new GoldPickaxe evolution takes things a step further, retaining the prior functionality but adding the ability to capture facial data for the purpose of creating a deepfake to defeat biometric logins.

Distribution has been limited to date, as the trojan malware has focused on iOS users but has not cracked the App Store as of yet. It was first distributed via Apple’s TestFlight app testing platform, but has since been identified and banned. The threat actors have since moved to attempting to social engineer targets into installing a Mobile Device Management (MDM) profile that puts the malware on their device.

Thus far, Group-IB finds that GoldFactory has been focused on capturing facial data in Vietnam and Thailand. However, it also says that there are signs the threat actor plans to expand its trojan malware operation to other countries. The group appears to be native speakers of Chinese, but have used the Thai, Vietnamese and Spanish languages in their attacks.

It is important to note that the trojan malware is not breaching the security of Apple’s Face ID or Android’s internal facial recognition system. Instead, the attackers simply comb through user pictures (with a script designed to grab the most recent 100) looking for selfies that can be used to approximate facial data. Failing that, they may attempt to social engineer the victim into engaging in a video chat.

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, expands on this layer of protection for the internal facial data storage of phone operating systems: “Facial recognition data on smartphones is encrypted and stored in a secure area of the processor, such as a Secure Enclave or Trusted Execution Environment, which isolates it from the device’s main operating system and applications to prevent unauthorized access. This data is anonymized, converting facial features into a mathematical model rather than storing actual images, and is kept locally on the device to minimize the risk of external breaches. Despite these security measures, risks remain, particularly if the device is physically compromised or if vulnerabilities within the device’s security hardware or software are exploited by sophisticated attackers. Furthermore, the potential for unauthorized access by malicious apps due to permissions mismanagement or software flaws poses a continuous threat, emphasizing the need for ongoing vigilance and regular security updates to mitigate these risks.”

Facial data used to bypass mobile banking security checks

Thailand and Vietnam may be a special focus for the trojan malware due to their banking laws. Just about a year ago, Thailand began requiring its banks to use facial data to confirm identity for transactions of over 50,000 baht or for a total of over 200,000 baht per day (roughly $1,400 and $5,600 respectively). The State Bank of Vietnam has announced plans to require facial data verification for all transactions starting April 2024, and many residents have already switched to the new system.

GoldFactory is thought to have been active with its mobile banking schemes since at least June 2023. Group-IB believes that the confidence scheme it runs to get victims to install the trojan malware may well involve a phony call center staffed by fluent speakers of the Thai and Vietnamese languages to provide an air of authenticity. The scheme reportedly begins with the fraudsters posing as some sort of government authority, making contact with them via call or SMS pertaining to some sort of service. The approach has been different with different victims and nationalities; one example is an attacker claiming that Thai pensioners need to install a new digital app to continue receiving their payments, another is a promise of tax refunds on electricity bills by allowing a malicious MDM profile.

With its prior malware, the scammers apparently talked the victim into manually installing it as some sort of legitimate software. The approach with GoldPickaxe appears to have shifted to simply convincing them to visit an attack URL that automatically downloads and installs the trojan to a device. While the trojan malware has not yet made it onto the official app stores, the attackers use links that appear to be to legitimate Google Play pages. The entire scam has not been documented in full detail as of yet as the attackers always take care to wipe out the victim’s SMS history after they compromise the device.

Jason Soroko, Senior Vice President of Product at Sectigo, sees this incident as an illustration of the insufficiency of biometric scans as a total replacement for passwords: “Biometric authentication should rarely be used as a sole form of authentication.  It is a very handy PIN code replacement in most cases.  Why isn’t it more secure?  It’s because your fingerprints, your face and your voice are not secrets.  In the case of the GoldPickaxe malware, what is novel here is the recording of video in order to create deepfakes of the victim, in order to cause further social engineering.  This is a scary development, but it is not surprising.  Deepfakes are very effective in social engineering.  It should be noted that the trojan mobile application that is installed by the victim has been made available via a fake Google Play store, and for iOS devices, the victim needs to utilize unusual installation methods.  I suspect this means that Android users are targeted for this attack more than iOS for this reason but everyone should be aware to not be convinced to install fake applications.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, sees numerous security lessons to be taken from this incident: “To guard against sophisticated cyber threats, security teams and individuals should take a multifaceted approach. This includes educating users on the dangers of downloading apps from non-official sources and the need to verify communications from supposed authoritative entities. It’s important to use official app stores, be cautious with app permissions, and employ multi-factor authentication to add a layer of security beyond biometric measures. Implementing security solutions that can identify and thwart advanced malware is crucial, as is keeping operating systems and applications updated with the latest security patches. Encouraging the use of encrypted communication and secure networks can help protect data, and for organizations, mobile device management policies can enable monitoring and control over corporate devices to mitigate risks effectively.”

Ted Miracco, CEO at Approov, adds the following recommendations: “There are several things that can be done to prevent these kinds of attacks. Endpoint detection and response (EDR) and runtime application self protection (RASP) are solutions specifically designed for mobile devices to detect and respond to malicious activity in real time. It’s extremely unlikely that “GoldPickaxe” will slow facial recognition development, however, it serves as a wake-up call for responsible development and implementation of security mechanisms to detect deep fakes and other fraud.”