The creation of highly sophisticated banking trojans, including the previously undocumented iOS malware GoldPickaxe, which can collect identity documents, facial recognition data, and intercept SMS, has been attributed to a Chinese-speaking threat actor codenamed GoldFactory.
In a lengthy report shared with The Hacker News, Singapore-based Group-IB stated that the GoldPickaxe family is accessible on both iOS and Android platforms. According to reports,” GoldFactory” is a well-organized Chinese-speaking cybercrime organization with close ties to Gigabud.
Another Android-based banking malware called GoldDigger, along with its improved iteration GoldDuggerPlus as well as GoldKefu, an embedded trojan inside GoldDegenderPlus, have been active since at least the middle of 2023.
By posing as regional banks and government entities, social engineering campaigns have been found to target Thailand and Vietnam in the Asia-Pacific region.
Prior to sending false URLs that cause GoldPickaxe to be installed on the devices, potential victims of these attacks are sent smishing and phishing messages and instructed to switch the conversation to instant messaging apps like LINE.
To complete the installation process, some of these malicious Android apps are hosted on fictitious websites that resemble Google Play Store pages or fake business websites.
However, GoldPickaxe for iOS uses a different distribution model, using Apple’s TestFlight platform for subsequent iterations and booby-trapped URLs to force users to install the rogue app and download an Mobile Device Management ( MDM) profile.
In November 2023, the Cyber Crime Investigation Bureau (CCIB ) and the Thailand Banking Sector CERT ( TB-CERT ) both revealed these propagation mechanisms.
The sophistication of GoldPickaxe is also demonstrated by the fact that it is made to circumvent Thailand’s security measures, which demand that users use facial recognition to verify larger transactions in order to prevent fraud.
According to security researchers Andrey Polovinkin and Sharmine Low,” GoldPickaxe asks the victim to record a video as confirmation method in the fake application.” Deepfake videos made possible by face-swapping artificial intelligence services are then created using the recorded video as raw material.
Additionally, the malware’s Android and iOS flavors are able to use the compromised device to intercept incoming SMS messages, collect victim ID documents and photos, and serve as a proxy for traffic. The GoldFactory actors are suspected of signing in to the bank application and carrying out unauthorized fund transfers using their own devices.
Despite this, the closed iOS operating system and relatively stricter iOS permissions result in fewer functionalities in the iOS version than in its Android counterpart.
Over 20 different applications from Thailand’s government, financial sector, and utility companies can be used to steal login credentials from these services using the Android version, which is regarded as GoldDiggerPlus ‘ evolutionary successor. What the threat actors do with this information, though, is currently unknown.
The malware also abuses Android’s accessibility features to record keystrokes and extract on-screen content, which is another notable feature of the malware.
Although GoldDigger is primarily intended to steal banking credentials, GoldPickaxe is more focused on gathering personal information from victims. Both games have code-level similarities. Up until now, no GoldDigger artifacts intended for iOS devices have been found.
According to the researchers, GoldDigger’s main feature is that it targets more than 50 applications from Vietnamese financial companies, including the names of their packages. The text displayed or written on the user interface, including passwords, is saved whenever the targeted applications open.
More advanced versions of GoldDigger, such as GoldGoldIggerPlus, which is embedded with another trojan APK component called GoldKefu, to unleash the malicious actions, have since emerged from the original, still-in-use version of the game in June 2023.
According to reports, GoldDiggerPlus debuted in September 2023, siphoning banking credentials from 10 financial institutions using GoldKefu, a well-known Vietnamese messaging app.
In order to facilitate interactive voice and video calls, Goldkefu also integrates with the Agora Software Development Kit ( SDK), which deceives users into contacting phony bank customer service by sending false alerts that give the impression that 3 million Thai Baht have been transferred to their accounts.
The development, if anything, suggests that cybercriminals seeking quick financial gain continue to profit from the mobile malware market, even as they figure out how to get around banks ‘ security measures to fend off such threats. It also shows how social engineering strategies that aim to deliver malware to victims ‘ devices are constantly changing and dynamic.
It is strongly advised against clicking suspicious links, installing any apps from unreliable websites because they are a common vector for malware, and periodically reviewing the permissions granted to apps, especially those requesting Android’s accessibility services, in order to reduce the risks posed by GoldFactory and its suite of mobile banking malware.
According to the researchers,” GoldFactory is a resourceful team skilled at various strategies, including impersonation, accessibility keylogging, phony banking websites, fake bank alerts, call screens, identity, and facial recognition data collection.” The team consists of various regionally focused development and operator groups.
” The gang consistently improves its toolset to align with the targeted environment, showcasing a high level of proficiency in malware development,” according to the statement.