The emergence of a sophisticated iOS and Android trojan, dubbed ‘GoldPickaxe,’ has alarmed cybersecurity experts due to its novel social engineering tactics. This malware, believed to be linked to the Chinese threat group ‘GoldFactory,’ employs a deceptive scheme, persuading victims to scan their faces and ID documents under false pretenses. Identified by Group-IB analysts, the trojan is part of a broader campaign initiated by GoldFactory, which includes other notorious strains like ‘GoldDigger’ and ‘GoldKefu.’ Despite initially targeting the Asia-Pacific region, particularly Thailand and Vietnam, the adaptable nature of GoldPickaxe’s techniques poses a global threat, potentially influencing future malware endeavors worldwide.
The distribution of GoldPickaxe began in October 2023, showcasing a sustained effort by threat actors to infiltrate mobile devices and exploit unsuspecting victims. Leveraging social engineering techniques, perpetrators reach out to targets through phishing or smishing messages, often impersonating local government authorities or services. These messages, tailored to appear legitimate, entice users to install fraudulent apps masquerading as essential services like a ‘Digital Pension’ app, distributed through deceptive websites mimicking Google Play. Even with the removal of the TestFlight app by Apple, attackers swiftly adapted, directing victims to install a malicious Mobile Device Management (MDM) profile, further illustrating their agility in circumventing security measures.
GoldPickaxe exhibits multifaceted capabilities upon installation, operating semi-autonomously to execute various malicious activities in the background. Apart from capturing victims’ faces and intercepting SMS, the trojan employs sophisticated techniques like ‘MicroSocks’ to proxy network traffic through infected devices. On iOS devices, it establishes a web socket channel to communicate with command and control (C2) servers, enabling remote control and data exfiltration. Meanwhile, the Android version demonstrates even more sinister functionalities, exploiting over 20 different bogus apps as cover to perform actions such as accessing SMS, navigating the filesystem, and downloading additional packages.
While Group-IB and Thai authorities suspect GoldPickaxe’s use of victims’ faces for bank fraud, it’s crucial to clarify that the malware does not compromise Face ID data or exploit OS vulnerabilities. Instead, it leverages social engineering to coerce users into providing facial scans, suggesting a potential avenue for unauthorized banking access through deepfakes. Despite this concerning prospect, biometric data stored in secure enclaves remains encrypted and isolated from running apps, underscoring the importance of robust security measures to mitigate the evolving threat landscape posed by sophisticated malware like GoldPickaxe.
