iOS Trojan can Collect Facial ID Data and Intercepting messages from iPhone- Group IB

February 19, 2024

A sophisticated mobile trojan, named GoldPickaxe.iOS has been discovered, with a specific objective to target iOS users, reports Group IB. GoldPickaxe family derived from GoldDigger Android Trojan includes versions for both Android and iOS and passed through frequent updates to improve performance and evade detection.

Group IB researchers have found that GoldPickaxe can collect facial recognition data, identity documents and intercept SMS messages. The Android version of GoldPickaxe shares similar capabilities with the iOS version, however, the Android version exhibits typical characteristics as well.

The threat actors employ Artificial Intelligence driven face-swapping services to generate deep fake images by making use of acquired data. When the collected data is merged with ID documents and intercepted messages, it reportedly allows cybercriminals to gain unauthorized access to victim’s bank accounts, an innovative approach to monetary theft.

Decoding GoldPickaxe’s Genesis

The recently identified GoldPickaxe employs a distinctive distribution strategy. At first, the threat actors utilized TestFlight, Apple’s mobile app testing platform, to distribute malware. Following the removal of the malicious app from the TestFlight, the threat actors moved towards a more advanced approach, by employing a multi-stage social engineering scheme to coax victims into installing a Mobile Device Management (MDM) profile. Consequently, the threat actor acquired complete control over the victim’s device.

GoldFactory Targets Victims Beyond APAC Borders

A single threat actor, named Goldfactory, bears the responsibility for developing a sophisticated suite of mobile banking malware, the source says.

The majority of those who fell victim to this malicious malware are concentrated in the Asia-Pacific Region (APAC). Although the current evidence suggests a particular focus on two APAC countries; Vietnam and Thailand, there are emerging threats that GoldFactory’s operational territory might extend beyond these countries.

October 2023 Findings on Android Trojan

In October 2023, Group-IB released a report detailing a previously unknown Android Trojan, designed to target more than 50 financial institutions, e-wallets, and cryptocurrency wallets in Vietnam, potentially stealing their funds. The Trojan has been in operation since June 2023 at the latest.

Operating under the guise of a portal developed by the Government of Vietnam and an energy firm, the malicious app exploits the Android Accessibility Service to acquire personal information, hack banking app credentials, intercept SMS, and perform diverse user commands.

To prevent such types of threats, everyone must stay aware of updates on their mobile applications, check for permission an application is demanding, and avoid downloading apps from sources other than Google Play Store.

Also read: Open AI Identity Partner Okta’s Customers Data Gets Compromised in Security Breach