...
New ‘Gold Pickaxe’ Android, iOS malware steals your face for fraud

A newly identified malware named “Gold Pickaxe” is posing a significant threat to Android and iOS users by exploiting social engineering tactics to steal facial images and ID documents. This malicious software is believed to generate deepfakes for unauthorized banking access.

Discovered by cybersecurity firm Group-IB, Gold Pickaxe is the latest addition to a suite of malware developed by the Chinese threat group ‘GoldFactory’, which includes other strains like ‘GoldDigger’, ‘GoldDiggerPlus’, and ‘GoldKefu’.

Starts with Social Engineering Attacks

Gold Pickaxe’s distribution began in October 2023 and continues to spread. This malware is part of the GoldFactory campaign that started in June 2023 with GoldDigger. The malware targets victims through phishing or smishing messages on the LINE app, a popular messaging platform in the Asia-Pacific region, particularly in Thailand and Vietnam.

These messages, written in the local language, impersonate government authorities or services to deceive users into installing fraudulent apps.

For Android users, the deceptive messages prompt them to download apps like a fake ‘Digital Pension’ app from websites mimicking Google Play. iOS users, on the other hand, were initially directed to a TestFlight URL to install the malicious app, circumventing Apple’s standard security review process.

However, after Apple removed the TestFlight app, the attackers adapted by instructing victims to download a malicious Mobile Device Management (MDM) profile, granting the attackers control over the devices.

Gold Pickaxe Capabilities

Once installed, Gold Pickaxe operates semi-autonomously, performing various malicious activities on the infected devices. Its capabilities include:

  • Capturing Facial Images and ID Documents: The malware can manipulate the device to capture the victim’s face and request ID documents.
  • Intercepting SMS Messages: It can intercept incoming SMS messages.
  • Proxying Network Traffic: The malware uses ‘MicroSocks’ to proxy network traffic through the infected device.
  • Manipulating Device Functions: On iOS devices, it establishes a web socket channel to receive and execute commands from a command and control (C2) server, such as:
  • Heartbeat: Ping the C2 server.
  • Init: Send device information to the C2.
  • Upload_idcard: Request the victim to take an image of their ID card.
  • Face: Request the victim to take a video of their face.
  • Upgrade: Display a bogus “device in use” message to prevent interruptions.
  • Album: Sync and exfiltrate the photo library data to a cloud bucket.
  • Again_upload: Retry exfiltration of the victim’s face video to the bucket.
  • Destroy: Stop the trojan.

The communication between the malware and the C2 server is conducted through HTTP requests. The Android version of Gold Pickaxe has even more extensive capabilities than the iOS version due to the latter’s higher security restrictions. On Android, the malware operates under the guise of over 20 different bogus apps and can:

  • Access SMS messages.
  • Navigate the filesystem.
  • Perform clicks on the screen.
  • Upload the 100 most recent photos from the victim’s album.
  • Download and install additional packages.
  • Serve fake notifications.

Group-IB and Thai police have suggested that the captured facial images are likely used for bank fraud, as many financial institutions have introduced biometric checks for transactions above certain amounts.

While Gold Pickaxe can steal images and videos of the victim’s face through social engineering, it does not hijack Face ID data or exploit any vulnerabilities in the mobile operating systems. The biometric data stored on the devices’ secure enclaves remains encrypted and isolated from running apps.

Google has responded to the threat by assuring that Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.

Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if those apps come from sources outside the Play Store.

The emergence of Gold Pickaxe underscores the evolving tactics of cybercriminals and the importance of remaining vigilant against social engineering attacks. Users are advised to be cautious about unsolicited messages and to install apps only from trusted sources to mitigate the risk of malware infection.

By Dale John

Dale John, age 37, is a seasoned writer with over a decade of experience specializing in the dark web and Tor network. With a deep commitment to providing private access to an uncensored internet, Dale's work is instrumental for human rights activists, journalists, and individuals living under oppressive regimes who need to access information and communicate securely. Dale's expertise is supported by a robust background in academic activities, including numerous publications and presentations at key conferences in the field of internet privacy and cybersecurity. Holding certifications in cybersecurity and digital privacy, Dale combines technical prowess with a passion for education, striving to raise awareness and understanding of the dark web's implications and potential. Dale is dedicated to maintaining a diverse patient population, ensuring her knowledge benefits a wide range of users seeking privacy solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.