Group-IB unveils first iOS trojan stealing your face

  • Chinese-speaking threat actor codenamed GoldFactory, responsible
  • AI face-swapping services to create deepfakes by replacing their faces with the victims

Group-IB unveils first iOS trojan stealing your face

Group-IB, a creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has reported uncovering a new iOS Trojan, which it has dubbed GoldPickaxe.iOS, designed to steal users’ facial recognition data, identity documents, and intercept SMS. The Trojan has been attributed to a Chinese-speaking threat actor codenamed GoldFactory, responsible for developing a suite of highly sophisticated banking Trojans that also includes the earlier discovered GoldDigger and newly identified GoldDiggerPlus, GoldKefu, and GoldPickaxe for Android.

To exploit the stolen biometric data, the threat actor utilizes AI face-swapping services to create deepfakes by replacing their faces with those of the victims. This method could be used by cybercriminals to gain unauthorized access to the victim’s banking account – a new fraud technique, previously unseen by Group-IB researchers. The GoldFactory Trojans target the Asia-Pacific region, specifically — Thailand and Vietnam impersonating local banks and government organizations.

Group-IB’s discovery also marks a rare instance of malware targeting Apple’s mobile operating system. The detailed technical description of the Trojans, an analysis of their technical capabilities, and the list of relevant indicators of compromise can be found in Group-IB’s latest blog post.

The new age of the gold rush in the Asia-Pacific

Group-IB’s report about GoldDigger released in Oct 2023 suggested that the expansion of GoldDigger would extend beyond Vietnam. Within less than a month, Group-IB’s Threat Intelligence unit identified a new iOS malware variant targeting victims from Thailand, subsequently named GoldPickaxe.iOS. Along with the iOS Trojan, the Group-IB team identified an Android version of GoldPickaxe, named GoldPickaxe.Android.

“The surge in mobile trojans targeting the Asia-Pacific region can be attributed to GoldFactory,” says Andrey Polovinkin, Malware Analyst, Threat Intelligence team, Group-IB. “The gang has well-defined processes and operational maturity and constantly enhances its toolset to align with the targeted environment showcasing a high proficiency in malware development. The discovery of a sophisticated iOS Trojan highlights the evolving nature of cyber threats targeting the Asia-Pacific region. In our assessment, it appears imminent that GoldPickaxe will soon reach Vietnam’s shores, while its techniques and functionality will be actively incorporated into malware targeting other regions.”

In fact, in Feb 2024, news emerged that a Vietnamese citizen fell victim to malware. The individual carried out the operations requested by the application, including a facial recognition scan. As a result, cybercriminals withdrew money equivalent to more than US$40,000 (RM191,770). While Group-IB doesn’t have direct evidence of GoldPickaxe’s distribution in Vietnam, the unique feature mentioned in the news suggests that GoldPickaxe has most likely reached Vietnam.

Overall, Group-IB identified four Trojan families and maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by GoldFactory.

Group-IB unveils first iOS trojan stealing your face

The Pickaxe effect

GoldPickaxe.iOS disguised as Thai government service apps (including the Digital Pension app)  requests the user to create a comprehensive facial biometric profile and take a photo of their identity card. Additionally, the threat actor requests the phone number to get more details about the victims, specifically seeking information about banking accounts associated with the victim.

The distribution strategy adopted by GoldPickaxe.iOS stands out. Initially leveraging Apple’s mobile application testing platform, TestFlight, the threat actor shifted to a more advanced approach post-removal of their malicious app from the platform. Group-IB researchers note that the threat actor doesn’t exploit any vulnerabilities. Instead, GoldFactory employs a multi-stage social engineering scheme to manipulate victims into granting all the necessary permissions, enabling the installation of malware. Through this scheme, victims were persuaded to install a Mobile Device Management (MDM) profile, granting the threat actor complete control over their devices. MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and gain the information they need.

It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices. Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.

GoldPickaxe doesn’t directly steal the money from the victim’s phone. Instead, it collects all the necessary information from the victim to create video deepfakes and autonomously access the victim’s banking application. Facial recognition is actively used by Thai financial organizations for transaction verification and login authentication. During the research, Group-IB established that the Trojan unequivocally possesses the capability to prompt victims to scan their faces and submit ID photos. Nevertheless, Group-IB researchers have not observed documented cases of cybercriminals utilizing this stolen data to gain unauthorized access to victims’ bank accounts in the wild. Group-IB’s hypothesis suggests that the cybercriminals are using their own, allegedly Android, devices to log into victims’ bank accounts. The Thai police confirmed Group-IB’s assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks and carry out unauthorized access to victim accounts.

GoldDigger family grows

After the initial discovery of the GoldDigger Trojan in June 2023, Group-IB’s Threat Intelligence unit has identified a new advanced variant of this Android malware – GoldDiggerPlus. Its first known sample detected in September 2023 had an embedded second Trojan inside that Group-IB named GoldKefu as “kefu” means customer service in Chinese and this string appears in its codes recurrently. GoldDiggerPlus and Kefu work in tandem to execute their full capabilities.

In contrast with GoldDigger which relies on Accessibility Service, GoldDiggerPlus and GoldKefu use web fakes impersonating 10 Vietnamese banks to collect banking credentials. GoldKefu checks if the most recently opened application on the infected device belongs to the list of targeted banking apps and a fake overlay login page that mimics a legitimate application will be launched instead if a match is found. Notably, GoldKefu also allows cybercriminals to send victims fake alerts and call them in real time, said Group-IB.

When the victim clicks on the contact customer service button fake alert, GoldKefu checks if the current time falls within the working hours of the cybercriminals. If it does, the malware will try to find a free operator to call through. Thus, it is believed that GoldFactory might be engaging operators proficient in Thai and Vietnamese or even possibly running a call center.

Who is striking gold?

Group-IB attributes the entire threat cluster to a single, highly sophisticated Chinese-speaking threat actor dubbed GoldFactory. Debugging strings in Chinese were found throughout all the malware variants and their C2 panels were also in Chinese.

Describing GoldFactory as a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection, Group-IB said the team comprises separate development and operator groups dedicated to specific regions.

The announcement of Thailand’s policy on facial biometric verification, released in March 2023 and enforced by July, coincided with the discovery of the earliest traces of GoldPickaxe in early Oct. A mere three months was enough for the group to research, develop, and test new facial recognition data collection features.

Additionally, Group-IB researchers found similarities between the gang’s malware and Gigabud – a disruptive banking trojan targeting Thailand, Vietnam as well as some countries in Latin America. However, there is not enough evidence to attribute the initial development of Gigabud to GoldFactory at this point, and, according to Group-IB researchers, GoldFactory is most likely involved in its distribution.

For a detailed examination of GoldFactory’s tactics, techniques, and procedures, along with the list of indicators of compromise, visit Group-IB’s fresh blog post.

For banks and financial organizations, Group-IB experts recommend implementing a user session monitoring system to detect the presence of malware and block anomalous sessions before the user enters any personal information. Recommendations for end-users are as follows: avoid clicking on suspicious links, use official app stores to download applications, review the permissions of all apps, avoid adding unknown contacts, verify the legitimacy of bank communications, and act promptly if fraud is suspected by contacting your bank.