Cybercriminals have set their sights on iOS users, using malware to steal face scans and gain access to Apple device users’ bank accounts. This is believed to be the first of its kind in the world.
A group of cybercriminals who speak Chinese, known as GoldFactory, have been distributing smartphone apps infected with trojans since June 2023. The latest version, GoldPickaxe, has been around since October.
GoldPickaxe and GoldPickaxe.iOS target Android and iOS devices respectively. They trick users into performing biometric verification checks, which are then used to bypass the security measures of legitimate banking apps in Vietnam and Thailand, where these attacks are focused.
GoldPickaxe and GoldPickaxe.iOS trojan targets Android and iOS devices respectively
The iOS version specifically targets users in Thailand, disguising itself as the official digital pensions app of the Thai government. However, there are suspicions that it has also made its way to Vietnam, as similar attacks were reported in the region recently, resulting in the theft of thousands of dollars.
Group-IB researchers noted that GoldPickaxe.iOS is the first iOS Trojan they have observed that combines various functionalities, such as collecting biometric data, ID documents, intercepting SMS, and proxying traffic through victims’ devices.
The Android version of the malware has even more functionalities than its iOS counterpart, due to the more open nature of the Android platform compared to the closed nature of iOS.
While Android malware is more common due to the ability to sideload apps, the discovery of iOS malware has surprised researchers because of the tighter security controls on Apple’s platform.
The Android infection was more straightforward, with malicious apps being available for download/sideload through a fake but seemingly legitimate Google Play store.
Researchers also found that the Android version had more disguises than the iOS version, posing as over 20 different government, finance, and utility organizations in Thailand, giving attackers more opportunities to deceive users.
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Connect with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
