Skip links

Cybercriminals are stealing Face ID scans to break into mobile banking accounts

Cybercriminals are targeting iOS users with malware that steals Face ID scans to break into and pilfer money from bank accounts – thought to be a world first.

A Chinese-speaking cybercrime group, dubbed GoldFactory by Group-IB’s researchers, started distributing trojanized smartphone apps in June 2023, however, the latest GoldPickaxe version has been around since October.

GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.

The iOS version is believed only to be targeting users in Thailand, masquerading as the Thai government’s official digital pensions app. That said, some think it has also made its way to Vietnam. This is because very similar attacks, which led to the theft of tens of thousands of dollars, were reported in the region earlier this month.

“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said.

“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”

While Android malware is more common, given the platform allows users to sideload apps, the iOS discovery shocked researchers more given the tighter security controls on Apple’s platform.

The Android infection was more straightforward than that of the iOS version, with malicious apps simply being available to download/sideload via a fake but seemingly legitimate Google Play store.

Researchers also found the Android version bore many more disguises than the iOS version – taking the form of more than 20 different government, finance, and utility organizations in Thailand, and allowing attackers to steal credentials for all of these services.

How’d they get on Apple phones?

In the case of iOS, the attackers had to be cunning. Their first method involved the abuse of Apple’s TestFlight platform, which allows apps to be distributed as betas before full release to the App Store.

After this method was stymied, attackers switched to more sophisticated social engineering. This involved influencing users to enroll their devices in an MDM program, allowing the attackers to push bad apps to devices that way.

In all cases, the initial contact with victims was made by the attackers impersonating government authorities on the LINE messaging app, one of the region’s most popular.

For example, in some cases back in November, criminals impersonated officials from the Thai Ministry of Finance, and offered pension benefits to victims’ elderly relatives.

From there, victims were socially engineered into downloading GoldPickaxe through various means.

Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim’s face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.

The application of deepfake technology has largely been a hypothetical threat to infosec professionals for years, but GoldPickaxe serves as another reminder that the technology is now mature enough for use in real-world attacks and will probably be abused for years to come.

Facial biometrics were only mandated in Thailand last year, with plans first announced in March with an enforcement date set for July. Vietnam is poised to mandate similar controls by April this year.

From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region. This applied specifically to transactions exceeding 50,000 BAT (roughly $1,400).

It means the GoldFactory group was able to develop a bespoke bypass for this new security initiative within just a few months, underlining the attacker’s capabilities and skill set.

“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection,” said the researchers.

“Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario. They are a strategic and well-orchestrated team. 

“They are aware of their target landscape and are constantly improving their toolset to tailor it to their target environment. Their developers demonstrate their relatively high proficiency in software development as well.”

The Gold malware family

GoldPickaxe is the latest iteration of the numerous trojans developed by the GoldFactory crime group.

The first – GoldDigger – was spotted in June 2023 and acted mainly as a traditional Android banking trojan granting control of a victim’s device.

GoldDigger and GoldPickaxe share code, but have different primary goals. The former focuses on gathering banking credentials while the latter pilfers personal information, including captures of victims’ faces, identity documents, and so on.

GoldDiggerPlus followed in September, adding additional, sophisticated functionality to the base GoldDigger trojan, including the GoldKefu APK, which is used in conjunction with GoldDiggerPlus. 

“In contrast with GoldDigger which relies mainly on Accessibility Service, GoldDiggerPlus and GoldKefu use webfakes to collect credentials or perform targeted scam calls instead. We conclude that the main purpose of GoldDiggerPlus is to authenticate itself to the C2 server, perform automated clicks when permissions are requested, record the screen, and stream the feed via Real-Time Messaging Protocol (RTMP),” the researchers said.

“It also makes an improvement from GoldDigger in the area of granting permissions. It now takes a more modular and controlled approach, that permission is requested and granted when the C2 issues the command. It does not grant all the permissions all at once like GoldDigger.”

GoldKefu offers an interesting capability in that it integrates the Agora SDK, enabling real-time video and voice calls. Attackers can then launch calls with victims while impersonating legitimate customer support reps from the brands they impersonate.

Attackers can send fake alerts to app users warning them that 3 million BAT has been transferred out of their account and to contact their bank if the transaction wasn’t authorized. 

Other warnings include fake error messages popping up when the trojan prevents banking apps from opening, prompting users to contact their bank to ‘unfreeze their account.’

These alerts have a one-touch ‘contact’ button which, if initiated within the working hours set by the cybercriminals, will initiate a call with the criminals who essentially operate a scam bank call center to harvest further information.

The Android version of the most recent GoldPickaxe is thought to be an updated version of GoldDiggerPlus, which also includes the GoldKefu APK. 

The iOS version doesn’t have these extensive capabilities due to the closed nature of Apple’s iOS platform, the researchers said.

“The adaptability of these cyber adversaries is remarkable, as evidenced by the evolution of their fraud schemes,” said Group-IB. “In addition to refining the capabilities of the original GoldDigger malware, they have introduced a new category of malware families that specialize in harvesting facial recognition data. They have also developed a tool that facilitates direct communication between victims and cybercriminals posing as legitimate bank call centers.

“In conclusion, the relentless evolution of cybercriminal tactics, exemplified by the sophistication of the GoldFactory malware, underscores the critical need for a proactive and multi-faceted approach to cybersecurity, including user education and integrated modern security approaches to proactively detect the appearance of new trojans and notify end users.” ®