The cybersecurity firm Group-IB has exposed the first iOS trojan capable of stealing users' facial recognition data and identity documents. Known as GoldPickaxe.iOS, this trojan is also designed to intercept SMS messages. The cybersecurity company's Threat Intelligence unit has identified this malware as a creation of a Chinese-speaking threat actor dubbed GoldFactory.

GoldFactory has been linked with the creation of a comprehensive arsenal of sophisticated banking trojans, including GoldDigger, GoldDiggerPlus, GoldKefu, and GoldPickaxe for Android. It's worth noting that it's not just personal information that this cybercriminal group is after. They use stolen biometric data in a novel way, by using AI face-swapping services to generate deepfakes replacing their own faces with those of their victims. This method, as yet unseen by Group-IB researchers, could enable cybercriminals to gain illicit access to their victims' banking accounts.

These highly advanced malware GoldFactory Trojans primarily focus their targets on the Asia-Pacific region, specifically Thailand and Vietnam. They impersonate local banks and government organisations to carry out their illicit activities. According to Group-IB, the discovery of GoldPickaxe.iOS is a rare instance of malware specifically targeting Apple's mobile operating system.

Dating back to October 2023, the initial discovery of GoldDigger suggested that its malicious activities would expand beyond Vietnam. Within less than a month, Group-IB's Threat Intelligence unit recognised a new iOS malware variant targeting victims from Thailand, later identified as GoldPickaxe.iOS. The GoldPickaxe for Android followed.

In February 2024, one Vietnamese citizen fell victim to this malware. The individual ended up carrying out operations requested by a malicious application, including a facial recognition scan. This allowed cybercriminals to withdraw the equivalent of more than 40,000 USD. Group-IB suspects that GoldPickaxe has now reached Vietnam.

GoldPickaxe.iOS masquerades as Thai government service apps and requests user information, seeking to build a comprehensive facial biometric profile and record Identity Card details. Additionally, the threat actor requests the phone number of victims. This detailed information is solicited to gather information about the banking accounts associated with the victim.

Instead of stealing money directly from the victims' phones, GoldPickaxe collects all necessary information to create video deepfakes and autonomously access victims' bank accounts. Facial recognition is widely used by Thai financial organisations for transaction verification and login authentication. Group-IB researchers suggest that GoldFactory employs their own, presumably Android, devices to log into victims' bank accounts using the captured face scans to bypass facial recognition checks. This assumption has been confirmed by the Thai police.

Andrey Polovinkin, a Malware Analyst at Group-IB's Threat Intelligence team, suggests that GoldFactory's surge in mobile trojans targeting the Asia-Pacific region indicates the group's "well-defined processes and operational maturity". They are continually enhancing their toolset to suit the environment that they target, showcasing a high proficiency in malware development. "It appears imminent that GoldPickaxe will soon reach Vietnam’s shores while its techniques and functionality will be actively incorporated into malware targeting other regions," says Polovinkin.

For banks and financial organisations, Group-IB experts recommend implementing a user session monitoring system, such as Group-IB's Fraud Protection, to detect the presence of malware and block anomalous sessions before any personal information is entered. For end-users, it is recommended to avoid clicking on suspicious links, use official app stores for downloading applications and review the permissions of all apps.