Cybersecurity firm Group-IB has exposed the first-ever iOS trojan capable of stealing users' facial recognition data, identity documents, and intercepting SMS messages. Named GoldPickaxe.iOS, this trojan is attributed to the Chinese-speaking threat actor GoldFactory, known for creating advanced banking trojans. GoldFactory employs unique techniques, including using stolen biometric data for creating deepfakes, raising concerns about potential illicit access to victims' banking accounts.
GoldFactory's Malicious Arsenal: GoldFactory, a threat actor previously linked to banking trojans like GoldDigger and GoldKefu, has expanded its sophisticated malware arsenal to target iOS users with GoldPickaxe.iOS. This trojan, designed for the Asia-Pacific region, particularly Thailand and Vietnam, stands out as a rare instance of malware specifically crafted for Apple's mobile operating system.
Advanced Techniques and Deepfake Creation: GoldPickaxe.iOS goes beyond traditional data theft, utilizing stolen facial recognition data for AI face-swapping services. This allows cybercriminals to generate deepfakes, replacing their faces with those of victims. The novel use of deepfakes could facilitate unauthorized access to victims' banking accounts, posing a new level of threat in the cyber landscape.
Targeting Thai Victims: The trojan masquerades as Thai government service apps, deceiving users into providing personal information, including facial biometrics and identity card details. By collecting detailed information and phone numbers, GoldPickaxe.iOS aims to build comprehensive profiles to access victims' bank accounts. Thai financial organizations relying on facial recognition for authentication become susceptible to this type of attack.
Operational Maturity of GoldFactory: Group-IB notes GoldFactory's well-defined processes and operational maturity, emphasizing the group's continuous enhancement of their toolset to suit the targeted environment. The surge in mobile trojans indicates the group's proficiency in malware development and adaptability to various regions.
Implications and Recommendations: The discovery of GoldPickaxe.iOS highlights the evolving threats in the mobile security landscape. For banks and financial institutions, Group-IB recommends implementing user session monitoring systems like Fraud Protection to detect malware presence and block anomalous sessions. End-users are advised to exercise caution, avoiding suspicious links, using official app stores, and reviewing app permissions.
Conclusion: GoldFactory's GoldPickaxe.iOS marks a significant development in iOS-targeted malware, introducing deepfake creation and posing unique threats to users' biometric data. As cyber threats continue to evolve, proactive cybersecurity measures and user awareness remain crucial to mitigate risks and safeguard sensitive information in the digital age.
Comments