New 'Gold Pickaxe' Android, iOS Malware Steals Your Face For Fraud

An anonymous reader quotes a report from BleepingComputer: A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. [...]

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

Re: Gay headline...rsilvergun: gayness is competin

[Slashythenkilly]

insecure much ?

Just wait for AI

[quonset]

Guaranteed at some point someone will use an AI-generated face to unlock someone's phone. Then it's game over for this type of security. Unless somehow depth can be built into the scanning of a face on a phone.

Re:Just wait for AI

[ratbag]

From the first link I found when I searched for "how does iphone face detection work":

Face ID uses a "TrueDepth camera system", which consists of sensors, cameras, and a dot projector at the top of the iPhone display in the notch to create a detailed 3D map of your face

So much click bait so little time

[hsmith]

A hash of your face biometrics is stored in the TPM. How is it âoestealing your facial dataâ?

Re:So much click bait so little time

[SeaFox]

Only the copy on the phone is stored securely. The copy on your face in meatspace is not. They trick you into letting them record the information off your real face with the camera, and then they can feed that into their deepfake version of you they are using to fool others.

Appleâ(TM)s greed enables this

[bubblyceiling]

Apple makes it so hard to install any custom software on iOS, that this was just inevitable. Many websites & applications use MDM profiles to distribute their apps.

The problem with this is that there is no way to verify what is being installed or limit the permissions of the MDM profile. Nor is there some sort of repo like Cydia, where one can be somewhat sure of the code quality

Thanks to Appleâ(TM)s greed, people have just gotten used to installing these profiles. Which then leads to these a

Re:

[iAmWaySmarterThanYou]

How many mdm profiles have you ever installed? Did you install one because you were sent a random url for no reason which told you to follow some ridiculous process at said random url for no discernible reason? My elderly non technical mother wouldn't follow those instructions. I'm not worried about this. At all.

According to the summary, the Android version is nastier than the IOS version because IOS security is better.

What are you grumping about?

Re:

[tlhIngan]

Exactly. I honestly have never installed a MDM profile. I have seen attempts to get people to install them though - usually because they're trying to install some pirated app or other thing that was removed from the App Store.

Usually those profiles get revoked pretty quickly because they're signed by Apple, and easily revokable. So apps that went that route often found their $500 signing key invalidated in a short time.

So I haven't really seen any real reason to do it other than maybe the app was rejected o

Re:

[iAmWaySmarterThanYou]

I have done it exactly once and under the guidance of corporate IT who walked me through it on the phone. They were supposed to have installed some bits for the corporate vpn but forgot that step on my new laptop so I rang them up for help. Had they set it up properly before handing me said laptop I wouldn't have ever seen that part of the UI.

This whole thing is silly. The degree of social engineering required is so high the actual delivery mechanism is irrelevant. Anyone who would complete these steps

Verification requires safe enrollment

[Canberra1]

Verification requires safe enrollment. Mobile phones are not it, especially if lost, stolen or flat. Mobile phones do NOT have trustworthy OS's fully patched up all the time. Besides some German PhD security researches debunked FaceID years ago. My credit union has trained operators who ask me tough questions for POI. I have a rolling code number app that ALTERS its challenge depending on my spending. So even if some hacker patched that app, he/she may get a number to cause a lockout and trace. Some institutions credit small random amounts. Any fintech that wants your face/photoselfie is insecure - so ditch them or demand a manual process.