Alarming Android And iOS GoldPickaxe Malware Wants To Steal Your Face
The new malware was spotted by security firm Group-IB, which has connected it to a Chinese threat actor known as GoldFactory. The group's latest endeavor builds on previous malware campaigns like GoldDigger, GoldDiggerPlus, and GoldKefu. The new GoldPickaxe is mainly operating in the Asia-Pacific region, particularly Thailand, but Group-IB stresses that the same technique could be applied anywhere.
GoldPickaxe doesn't leverage any security flaws in Android or iOS—this is a good old-fashioned social engineering attack. The malware operators start by sending messages in messaging apps like Line, claiming to represent government agencies. They direct victims with Android phones to download an app from a website that impersonates the Google Play Store. For iPhone users, they initially used an Apple TestFlight profile to install the malware, but after Apple removed that app the attackers switched to a malicious Mobile Device Management (MDM) profile that allows them to control the device.
At this point, the victim using the fake governmental app is asked to supply a mountain of personal data. The app captures images of the victim's ID, and it can steal recently captured photos. It also asks the user to film a video of their face with the phone's camera. The interface looks similar to legitimate face unlock systems, but the video is sent directly to the malware's command and control server. The Android client has a few more features, like SMS access, thanks to the more permissive nature of the platform.
Some financial institutions, particularly those in South Asia, have started requiring biometric verification for large transactions, so GoldPickaxe could enable significant monetary theft. The Thai police have reportedly confirmed that the attackers have used these stolen faces to transfer funds from victims' accounts. Face recognition systems that don't use 3D data are remarkably easy to fool.
Importantly, the malware cannot access the biometric data on your phone, reports Bleeping Computer. That data is encrypted and could only be stolen via a serious vulnerability. this app is all about tricking people. Unfortunately, it seems to be pretty good at it.