First-ever iOS trojan steals your face to break your bank [Updated]

• For the first time, an iOS trojan has been discovered in the wild. Named GoldPickaxe, this new malware is an adaptation of the well-known Android trojan, GoldDigger. According to a recent report, it steals an iPhone user's facial recognition data to access funds in banking and other financial apps. The details on how this occurs are outlined below.

Upon successful installation, GoldPickaxe begins its malicious operations by first gaining unauthorized access to the iPhone user's facial recognition data. It does this by exploiting certain vulnerabilities in the device's operating system. Once it acquires this sensitive data, it then uses it to bypass security measures in various financial apps installed on the device.

The trojan, in essence, impersonates the user, tricking the apps into believing that the rightful owner is accessing them. This allows it to carry out financial transactions without raising any alarms. The extent of the damage it can cause depends largely on the number and type of financial apps the user has installed.

It's crucial for iPhone users to be aware of this new threat and take necessary precautions to protect their devices and personal data. Regularly updating your device's software, avoiding suspicious apps, and using strong, unique passwords are some of the measures that can help mitigate the risk of such attacks.

GoldPickaxe, the first iOS Trojan, steals facial recognition data to breach bank accounts

Malware, inclusive of Trojans disguised as innocent programs, has emerged on Macs. This, however, seems to be the first one tailored to infiltrate iPhones (and pilfer your money).

An offshoot of the GoldDigger banking malware first identified in October 2023, GoldPickaxe has various versions that aim to empty bank accounts via Android and iOS devices, as per a recent report from cybersecurity firm Group-IB.

So far, the GoldPickaxe.iOS trojan is operative in Southeast Asia, but the group suggests it could easily extend to other countries.

How does GoldPickaxe.iOS function?

Once installed on a device, the malware gathers facial-recognition data, identifies documents, and scans text messages for the "threat actor" behind the scheme, codenamed "GoldFactory."

Typically, the download occurs through an imitation government app mistaken for an authentic one. Once activated on a device, the Trojan alters functions in the background. It can capture the user's face, read SMS messages, request ID documents, and proxy network traffic, among other actions.

Clearly, this is alarming. GoldPickaxe's utilization of pilfered biometric data sounds even more troubling as it facilitates bank account access, according to Group-IB:

To exploit the stolen biometric data, the threat actor uses AI-driven face-swapping services to generate deepfakes. This data, combined with ID documents and the ability to intercept SMS, allows cybercriminals to gain unauthorized access to the victim’s bank account – a new method of monetary theft, previously unobserved by Group-IB researchers in other fraud schemes.

Interestingly, Group-IB states that the malware exhibits less harmful functionality on iOS devices than Android devices due to Apple’s superior security. On Android, it can, for instance, perform screen clicks, download 100 recent photos, serve fake notifications, and more.

While the malware can capture a victim's likeness, it doesn't capture encrypted Face ID data.

How is it disseminated?

GoldPickaxe is mainly disseminated through phishing scams, often disguised as legitimate government apps. Users are tricked into downloading and installing these apps, unwittingly inviting the Trojan onto their devices.

The threat actors behind this malware also exploit known security vulnerabilities in outdated operating systems. Hence, devices not updated with the latest security patches are particularly vulnerable to this Trojan.

Moreover, the malware is also spread through malicious links sent via email or text messages. These links redirect users to fraudulent websites where the Trojan is automatically downloaded onto their devices.

To safeguard against such threats, it's recommended to always verify the source before downloading any app, regularly update your device's operating system, and avoid clicking on suspicious links received via email or text messages.

While the GoldPickaxe.iOS Trojan currently seems to be targeting users in Southeast Asia, the potential for its spread to other regions remains significant, as per Group-IB's report. Hence, users worldwide need to remain vigilant and adhere to best practices for digital security.