Share this article on:
Researchers spot an iPhone-focused version of GoldDigger Android Trojan targeting the Asia-Pacific region.
A new Trojan has been spotted in the wild, targeting mobile phones and capable of stealing facial data.
It’s specifically targeting iOS – the first time such a Trojan has been observed.
Researchers at cyber security firm Group-IB made the find while performing regular monitoring of a previous Android Trojan that they dubbed GoldDigger, after the name of one of the activities within the Trojan’s API: GoldActivity.
Group-IB is calling the new iOS Trojan GoldPickaxe.iOS. It’s based on GoldDigger and has a subset of that Trojan’s functions – intercepting text messages, stealing identity docs, and collecting facial recognition data. It’s also regularly updated with new evasion capabilities so that it can operate undetected.
Like all of the GoldDigger family, the Trojan is spread by using social engineering to trick victims into downloading it. Group-IB believes that a single group called GoldFactory – probably Chinese-speaking – is behind the operation and that the group has close connections to the Gigabud malware family.
What makes the Trojan so dangerous is how the GoldDigger gang uses its captured facial recognition data – to create deepfakes of the victim and then use that to access their banking apps.
“The key functionalities of this Trojan are to steal ID pictures by requesting the user to take a photo of them, retrieve pictures from the victim’s album, and capture facial recognition data,” Group IB’s researchers said in a blog post. “To exploit the stolen biometric data, they employ AI-driven face-swapping services, allowing them to authorise in the victim’s banking application – a technique we have not observed in other fraud schemes.”
The GoldDigger gang itself appears to be a sophisticated operation, as shown not only by the capabilities of its malware but also by structure. There are discrete groups within the gang that focus on development or operation, and then broken down into groups dedicated to a particular region.
“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection,” Group-IB said. “Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario.”
“They are a strategic and well-orchestrated team.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.