GoldPickaxe Malware Spreads Across Android and iOS, Stealing Faces for Deepfakes

A new malware campaign dubbed GoldPickaxe is targeting Android and iOS users, tricking them into installing fraudulent apps and stealing their sensitive data, including facial scans and ID documents, to create deepfakes for unauthorized access to banking apps.

The malware, developed by the Chinese hacking group GoldFactory, was first spotted in June 2023 and primarily targeted Android users. However, an updated version launched in October 2023 now ensnares iPhone users as well.

Phishing via LINE App

Attackers primarily distribute GoldPickaxe through phishing or smishing messages on the LINE messaging app, popular in Japan, Taiwan, and Thailand. These messages, crafted in the user's local language, often impersonate government authorities to lure victims into installing fake apps like "Digital Pension" from websites resembling Google Play.

Targeting iPhones

For iPhones, GoldPickaxe employs two methods. One involves tricking users into opening a TestFlight URL that installs both a legitimate TestFlight app and the malware. If that fails, attackers send a malicious Mobile Device Management (MDM) profile. Downloading this profile grants the attackers complete control over the device.

Data Theft and Deepfakes

Once installed, the malware can steal incoming SMS messages, control background phone functions, capture the victim's face, and even request ID documents. While experts believe using stolen faces for bank fraud is likely, Thai police have corroborated this assumption.

GoldFactory's Past Exploits

GoldFactory is known for developing other malware like GoldDigger, GoldDiggerPlus, and GoldKefu. While the group currently focuses on Thailand and Vietnam, security researchers warn that these tactics could be used against other countries by GoldFactory or other malicious actors.

To stay protected, users should be wary of unsolicited messages, especially those impersonating authorities. Downloading apps only from official stores and avoiding suspicious links are crucial steps to prevent malware infections.