GoldPickaxe Malware Harvests Personal and Facial Biometric Data to Scam Victims

A first for iOS devices, security researchers have identified a new banking trojan dubbed ‘GoldPickaxe,’ that has the ability to create deepfakes using stolen facial biometrics.

Available for both Android and iOS devices, the new malware strain is suspected to belong to ‘GoldFactory,’ a Chinese threat group responsible for ‘GoldDigger’ and ‘GoldKefu’ malware strains. According to researchers at Group-IB, the current targets are mainly victims in the APAC region, particularly Vietnam and Thailand.

Active since October 2023, the malware uses various social engineering techniques, including impersonating government and banking organizations to lure victims into sharing personal information.

According to Thailand Banking Sector CERT (TB-CERT), the threat actors pose as legitimate government agencies or officials to trick victims into installing fraudulent apps.

For instance, trojan-laden Android apps such as ‘Digital Pension,’ promoted via popular messaging apps LINE, are either installed via fake corporate or Google Play websites.

While the distribution chain for iOS devices is different. For iOS devices, the cybercriminals leveraged Apple’s TestFlight platform, or lured victims into installing a Mobile Device Management (MDM) profile through fraudulent websites. These tactics and techniques helped the hackers gain control over the targets’ device.

Once installed, the malware ‘’prompts the victim to record a video as a confirmation method in the fake application. The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services,’’ Group-IB revealed.

Additional capabilities attributed to the malware include, intercepting SMS messages, personal data, requesting identity documents, and proxying traffic through the target’s device.

Group-IB researchers believe that facial recognition information is essentially being used to access the victim’s bank account. It also believes that instead of the target’s device, the hackers are using their own devices to commit the fraud. This belief was further corroborated by the Thai police.

While concluding the security researchers stated that GoldFactory has ‘’well-defined processes, operational maturity, and demonstrate an increased level of ingenuity. Their ability to simultaneously develop and distribute malware variants tailored to different regions shows a worrying level of sophistication.’’