Cybercriminals are targeting iOS users with malware that steals Face ID scans to break into and steal money from bank accounts – believed to be a world first.
A Chinese cybercrime group, dubbed GoldFactory by Group-IB researchers, began distributing Trojanized smartphone apps in June 2023, but the latest version of GoldPickaxe has been around since October.
GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same controls used by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks .
The iOS version is believed to only target users in Thailand, posing as the official Thai government pensions digital app. That said, some believe it also made its way to Vietnam. Indeed, very similar attacks, leading to the theft of tens of thousands of dollars, have been reported in the region earlier this month.
“It should be noted that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB which combines the following functionalities: collection of victims’ biometric data, identity documents, interception of SMS and proxy of traffic via devices victims,” the researchers said. .
“Its Android sibling has even more features than its iOS counterpart, due to more restrictions and the closed nature of iOS.”
Although Android malware is more common, given the platform allows users to download applicationsThe iOS discovery shocked researchers even more given the tighter security controls on Apple’s platform.
The Android infection was simpler than that of the iOS version, with the malicious apps simply available for download through a fake but seemingly legitimate Google Play Store.
Researchers also found that the Android version had many more disguises than the iOS version – taking the form of more than 20 different government, financial and utility organizations in Thailand, and allowing attackers to steal the credentials of all these services.
How did they get on Apple phones?
In the case of iOS, the attackers must have been cunning. Their first method involved abusing Apple’s TestFlight platform, which allows apps to be distributed in beta before their full release on the App Store.
Once this method was blocked, the attackers moved on to more sophisticated social engineering. This involved tricking users into enrolling their devices in an MDM program, allowing attackers to deliver bad apps to the devices.
In all cases, the first contact with the victims was made by the attackers posing as government authorities on site. LINE messaging appone of the most popular in the region.
For example, in some cases in November, criminals posed as officials from the Thai Ministry of Finance and offered retirement benefits to victims’ elderly parents.
From there, victims were socially lured into downloading GoldPickaxe through various means.
Once the biometric scans were captured, the attackers then used these scans, along with deepfake software, to generate models of the victim’s face.
The attackers would download the target banking app onto their own devices and use the deepfake models, along with stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.
The application of deepfake technology has largely been a hypothetical threat to information security professionals for years, but GoldPickaxe once again reminds that the technology is now mature enough to be used in real world attacks and will probably be abused for years.
Facial biometrics were only mandatory in Thailand Last year, with plans first announced in March with an implementation date set for July. Vietnam is ready to impose similar controls by April this year.
From July 2023, all Thai banking apps were required to comply with the new initiative and replace one-time passcodes with facial biometrics to reduce the threat of financial fraud in the region. This specifically applied to transactions exceeding 50,000 BAT (approximately $1,400).
This means that GoldFactory Group was able to develop a tailor-made bypass for this new security initiative in just a few months, highlighting the capabilities and skills of the attacker.
“GoldFactory is an ingenious team, which has many tricks up its sleeve: identity theft, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity data harvesting and facial recognition,” the researchers said.
“Equipped with various tools, they have the flexibility to select and execute the one that best suits the scenario. They are a strategic and well-orchestrated team.
“They are aware of their target environment and are constantly improving their toolset to suit their target environment. Their developers also demonstrate their relatively high software development skills.”
The Gold malware family
GoldPickaxe is the latest iteration of the numerous Trojans developed by the GoldFactory crime group.
The first one – Gold digger – was spotted in June 2023 and primarily acted as a traditional Android banking Trojan to control a victim’s device.
GoldDigger and GoldPickaxe share code, but have different primary goals. The former focuses on collecting banking credentials, while the latter steals personal information including captures of faces, identity documents, etc.
GoldDiggerPlus followed in September, adding additional, sophisticated features to the base GoldDigger Trojan, including the GoldKefu APK, used in conjunction with GoldDiggerPlus.
“Unlike GoldDigger which primarily relies on the accessibility service, GoldDiggerPlus and GoldKefu use webfakes to harvest credentials or make targeted scam calls. We conclude that the primary goal of GoldDiggerPlus is to authenticate from the C2 server, to perform automated clicks when permissions are requested, record the screen, and broadcast the stream via Real-Time Messaging Protocol (RTMP),” the researchers said.
“It also provides an improvement over GoldDigger in the area of granting permissions. It now takes a more modular and controlled approach, this permission is requested and granted when the C2 issues the command. It does not grant all permissions at the same time like GoldDigger.”.
GoldKefu offers a nice feature in that it integrates the Agora SDK, enabling real-time video and voice calls. Attackers can then initiate calls with victims while posing as legitimate customer support representatives of the brands they are impersonating.
Attackers can send fake alerts to app users warning them that 3 million BAT has been transferred from their account and prompting them to contact their bank if the transaction is unauthorized.
Other warnings include fake error messages that appear when the Trojan prevents banking apps from opening, prompting users to contact their bank to “unblock their account.”
These alerts feature a one-touch “contact” button which, if initiated during the working hours set by the cybercriminals, will initiate a call with the criminals who are essentially operating a fraudulent banking call center to harvest information additional.
The Android version of the newest GoldPickaxe is believed to be an updated version of GoldDiggerPlus, which also includes the GoldKefu APK file.
The iOS version lacks these expanded capabilities due to the closed nature of Apple’s iOS platform, the researchers said.
“The adaptability of these cyber adversaries is remarkable, as evidenced by the evolution of their fraudulent schemes,” said Group-IB. “In addition to refining the capabilities of the original GoldDigger malware, they introduced a new category of malware families specialized in collecting facial recognition data. They also developed a tool that facilitates direct communication between victims and cybercriminals posing as legitimate banking call centers. .
“In conclusion, the relentless evolution of cybercriminal tactics, exemplified by the sophistication of the GoldFactory malware, highlights the critical need for a proactive, multi-faceted approach to cybersecurity, including user education and integrated modern security approaches to proactively detect the appearance of new Trojans and notify end users.” ®