Cybersecurity researchers have discovered a new mobile trojan that literally looks to steal people’s faces to hack into theiraccounts.
The GoldPickaxe trojan steals biometric data and uses it to generate convincing deepfakes which can then be used to break into mobile banking applications, a report from Group-IB says.
GoldPickaxe is available for both Android and iOS, although for the latter, it has fewer features due to the closed nature of the iOS. Still, the existence of the iOS version marks a rare occasion of malware targeting Apple’s mobile operating system, the researchers said.
Thailand and Vietnam at risk
Besides stealing facial recognition data, GoldPickaxe also steals identity documents and intercepts SMS messages, getting more than enough information to break into mobile banking applications. The final step - actually logging into the banking app and withdrawing funds - is not being done on the targets’ devices. Instead, the crooks are installing banking apps on their own devices and logging in from there, Thai police confirmed to the researchers.
The experts believe the group behind the trojan is most likely GoldFactory, a Chinese-speaking threat actor that’s known for building GoldDigger, GoldDiggerPlus, and GoldKefu, all banking trojans.
In this instance, GoldFactory is targeting people in the Asia-Pacific region, with those in Thailand and Vietnam being most at risk.
To get the malware to work, the victim still needs to grant it relevant permissions. Hence, the attackers are impersonating local banks, and government organizations, and are engaged in a multi-stage social engineering scheme to manipulate victims into granting all the necessary permissions. They are not exploiting any vulnerabilities in either Android or iOS to install the malware - it’s all just social engineering.
We don’t know exactly how many people are affected by this campaign, or how much money the hackers managed to steal with the malware.
Edit:
Following the publication of the article, a Google spokesperson reached out to confirm that Android users are "automatically protected against this trojan:
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," the spokesperson told TechRadar Pro. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
More from TechRadar Pro
- Hackers are increasingly using ad tools and marketing gimmicks to sell their work
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now