A new malware by the name of GoldPickaxe is affecting Android and iOS devices in a big way. Spotted by Group-IB (via BleepingComputer), the GoldPickaxe malware tricks users into installing fraudulent apps and scanning their faces and ID documents. This sensitive information is then used to create deepfakes that allow the threat actors to gain unauthorized access to your banking app.
The GoldPickaxe malware is developed by GoldFactory, a Chinese hacker group that's also responsible for GoldDigger, GoldDiggerPlus, and GoldKefu malware. Right now, the group seems to be primarily targeting Thailand and Vietnam, but these techniques could be used to target other countries, either by GoldFactory or other malicious groups.
With that said, here's how the GoldPickaxe malware works and what to be cautious of over the next few months.
How GoldPickaxe malware works on Android and iOS
Between June 2023 and now, the GoldFactory malware group has distributed multiple threat packages, most of which targeted only Android users. However, its newest GoldPickaxe malware that started in Oct. 2023 targets both Android and iOS users.
Currently, victims are being targeted through phishing or smishing messages on the LINE app, which is a popular messaging app in Japan, Taiwan, and Thailand. These messages—written in the user's local language—impersonate government authorities and con victims into installing fraudulent apps, like the Digital Pension app below, from websites that look like Google Play.
The GoldPickaxe malware can target iPhone users in two ways. First, it directs victims to open a TestFlight URL that installs a legitimate TestFlight app in addition to the malware. If the TestFlight method doesn't work, the GoldFactory group sends out a malicious Mobile Device Management (MDM) profile, and if the iPhone user downloads it, the threat group gains control over the device.
Once someone has unknowingly installed the trojan horse, it can read incoming SMS messages, control background functions on the phone, request ID documents, and capture the victim's face. BleepingComputer points out that "use of the victims' faces for bank fraud is an assumption by Group-IB," but this is "corroborated by the Thai police."
Despite the fact that the GoldPickaxe malware can capture the faces of its victims and steal images, it can't access your official biometric data on Android or iOS. Your biometric data is encrypted and kept separate from running apps.
According to Group-IB, Android users are at a higher risk than iOS users, partly because Apple has higher security restrictions and partly because GoldPickaxe uses over 20 different fake apps on Android. Plus, with the iOS 17 update, these 3 game-changing security features were added to many iPhones.
Update 2/16/2024: A Google spokesperson offered this comment in regard to the threat posed by GoldPickaxe malware: "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."