Feb 16, 2024 11:50:00

The first Trojan horse 'GoldPickaxe' compatible with iOS is discovered

The first-ever iOS Trojan horse that infiltrates devices by exploiting

TestFlight , a system for developers to release apps experimentally, has been discovered. According to reports, the malware, named 'GoldPickaxe', is used to withdraw funds from victims' bank accounts.

Face Off | Group-IB Blog
https://www.group-ib.com/blog/goldfactory-ios-trojan/

First ever iOS trojan discovered — and it's stealing Face ID data to break into bank accounts | Tom's Guide

https://www.tomsguide.com/computing/malware-adware/first-ever-ios-trojan-discovered-and-its-stealing-face-id-data-to-break-into-bank-accounts

According to a new report published by security company Group-IB on February 15, 2024, malware based on the GoldDigger Trojan horse designed to run on Android devices was first discovered in October 2023. It is said that it was done.

Group-IB named this malware 'GoldPickaxe' and conducted an investigation. According to Group-IB, GoldPickaxe has iOS and Android versions, and unlike GoldDigger, it features regular updates designed to evade detection.

The iOS version of 'GoldPickaxe.iOS' can intercept facial recognition data and SMS, and hackers can also misuse stolen biometric data to create AI-powered deepfakes. It is said that the information from the victim can be combined with biometric information to illegally access the victim's bank account.

The hackers who exploited GoldPickaxe.iOS initially used TestFlight, Apple's mobile application testing platform, to distribute the malware. However, since the app was subsequently deleted from TestFlight, hackers focused on ``mobile device management (MDM)'', a mechanism for centrally managing devices. It seems that they succeeded in completely controlling the device by launching a

social engineering attack to force the victim to install an MDM profile loaded with a Trojan horse.

At the time of publication, GoldPickaxe is only being used to target victims in Vietnam and Thailand. In particular, since March 2023, the Bank of Thailand will require biometric authentication to verify the identity of any transaction over 50,000 baht (approximately 210,000 yen), so biometric information stolen in such transactions will be used. may be. Additionally, in Vietnam, there have been reports of people having their biometric information stolen and bank deposits stolen from an app disguised as a 'public service app,' and Group-IB suspects a connection with GoldPickaxe.

Group-IB believes that GoldPickaxe was developed by the Chinese-speaking cybercrime group GoldFactory, which also suspects that GoldFactory has close ties to another Android malware development organization, Gigabud. It is said that it is.

As a way to prevent Trojan horse intrusion, Group-IB recommends ``avoid clicking on suspicious links'', ``download apps only from official platforms'', and ``pay close attention to the permissions requested by apps''. doing.