GoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam Banks

Written by

Security researchers have warned of a sophisticated new Trojan designed to steal facial biometric data and use it to produce deepfakes of victims which can bypass banking logins.

Group-IB said the GoldPickaxe malware is available for Android and iOS, and developed by a suspected Chinese cybercrime actor dubbed “GoldFactory” to target mainly victims in Thailand and Vietnam.

The infection chain begins with threat actors impersonating government officials. They convince the victim to use messaging app Line to communicate and trick them into downloading a Trojan-laden app disguised as a “digital pension” application, or one providing other government services.

The Android app is downloaded either from a fake Google Play page or spoofed corporate website. For the iOS version, it could leverage the TestFlight developer platform, or the threat actors could trick the victim into installing a mobile device management (MDM) profile, which gives them control over the device.

The threat actors cite personal information they have obtained about the victim to increase their chances of success, according to Group-IB.

Read more on deepfakes: How To Challenge Deepfake Fraud

Once activated, the Trojan requests the victim’s ID documents, intercepts SMS messages and proxies traffic through the victim’s infected device.

It also prompts the victim to record a video as a ‘confirmation method’ in the fake app. This is then used to create a deepfake video, which can be deployed in addition to the other collected data to enable a cybercriminal to bypass banking logins.

“We hypothesize that the cybercriminals are using their own devices to log in to bank accounts,” Group-IB explained.

“The Thai police have confirmed this assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks to perform unauthorized access to victims’ accounts.”

This is just one of a suite of sophisticated Trojans developed by GoldFactory and active since mid-2023. The group is also responsible for the GoldDigger malware reported by Infosecurity last year.

“Threat actors such as GoldFactory have well-defined processes, operational maturity, and demonstrate an increased level of ingenuity,” Group-IB concluded. “Their ability to simultaneously develop and distribute malware variants tailored to different regions shows a worrying level of sophistication.”

What’s hot on Infosecurity Magazine?