GoldPickaxe: New Face-Scanning Trojan Threatens iOS and Android Users

by | Feb 15, 2024 | News

GoldPickaxe: New Face-Scanning Trojan Threatens iOS and Android Users"

Post Views: 417




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cybersecurity firm Group-IB has uncovered a new threat to mobile users dubbed ‘GoldPickaxe,’ a trojan employed by the Chinese threat group ‘GoldFactory’ to orchestrate social engineering attacks and potentially perpetrate banking fraud using deepfake technology.

GoldPickaxe, part of the broader GoldFactory malware suite that includes strains like ‘GoldDigger’ and ‘GoldKefu,’ targets both iOS and Android devices and has been observed primarily in phishing campaigns directed at users in the Asia-Pacific region, particularly Thailand and Vietnam.

The modus operandi of GoldPickaxe involves initiating phishing or smishing attacks via messaging platforms like LINE, with messages often masquerading as communications from local government authorities or services. Victims are enticed into downloading fraudulent apps, such as a counterfeit ‘Digital Pension’ app hosted on fake Google Play websites.

Malicious app hosted on a fake Google Play websiteMalicious app hosted on a fake Google Play website
Source: Group-IB

For iOS users, the attackers initially leveraged TestFlight URLs to distribute the malicious app, circumventing normal security reviews. Following Apple’s removal of the TestFlight app, they pivoted to distributing malicious Mobile Device Management (MDM) profiles, granting them control over compromised devices.

iOS infection chainiOS infection chain
Source: Group-IB

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

GoldPickaxe’s Capabilities:

Once installed, GoldPickaxe operates surreptitiously, executing various functions in the background, including capturing the victim’s face, intercepting SMS messages, and proxying network traffic.

Notable capabilities include:

  • Capturing face and ID document images
  • Intercepting SMS messages
  • Proxying network traffic using ‘MicroSocks’
  • Uploading victim’s data to a cloud bucket
  • Performing commands received from the command and control (C2) server

 

Android vs. iOS:

While GoldPickaxe exhibits more malicious behavior on Android due to Apple’s stricter security measures, both versions are concerning. On Android, the trojan utilizes over 20 different bogus apps for cover and can perform additional actions like accessing SMS, navigating the filesystem, and serving fake notifications.

Face capturing interfaceFace capturing interface
Source: Group-IB

Trending: Jeff Foley – OWASP Amass Founder




Trending: Recon Tool: go-dork

Banking Fraud Implications

Group-IB suggests that the trojan’s use of victims’ faces may be linked to banking fraud, particularly as many financial institutions implemented biometric checks for transactions.

Possible fraud strategyPossible bank fraud strategy
Source: Group-IB

 

However, it’s essential to clarify that GoldPickaxe does not hijack Face ID data or exploit vulnerabilities in iOS or Android. Biometric data stored in secure enclaves remains encrypted and isolated from running apps.

Trending: Critical Fortinet Flaw in FortiOS SSL VPN is Actively Exploited

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This