“First of its Kind” Trojan Malware Targets Phone Facial Data to Make Deepfakes for Bank Account Access

by | Feb 21, 2024

Among all of the existing cybersecurity threats, the public now has to be vigilant about trojan malware that sneaks onto their phone to collect facial data for deepfakes.

The ultimate purpose of the malware is to defeat the facial recognition access systems now used by some banks to secure mobile logins. GoldPickaxe has several different techniques for acquiring facial data, but it can also intercept SMS messages and rifle through documents stored on the phone to support its operations.

Thieves seek facial data to break into bank accounts

The GoldPickaxe scheme has been seen in Thailand and Vietnam thus far, and Group-IB believes that a Chinese-speaking threat actor employing phone scammers that speak in the local languages is behind the campaign. The two nations have likely been targeted due to recent developments in the law that have moved a lot of the population to using facial data to access their bank accounts via phone, but Group-IB warns that the threat actor appears to have plans to roll out its trojan malware in other countries.

The group has not been able to penetrate the official app stores with the trojan malware as of yet, so it has taken creative approaches to trick victims into essentially sideloading it onto their devices. It often pretends to be from the government, urging victims to install a malicious app that will supposedly expand pension benefits or give them discounts on utility bills. These fake apps have been mocked up to look like they are coming from a page from the Google Play store. They also route victims to web sites that attempt to convince them to grant permissions for remote management of the device.

Once in a device, the trojan malware is not able to access stored facial recognition data held by the operating system. Instead, it sends stored pictures back to the attackers in the hopes of finding usable selfies. These attacks have been targeted thus far, and the attackers may also try to initiate a video chat with the victim to get the facial data that way. The end goal is to create a deepfake that provides access to the victim’s bank account, which is immediately drained.

Trojan malware takes more work to install on iOS

The Group-IB report does not indicate which operating system is targeted more often, but it is easier to load trojan malware like this on Android devices. GoldPickaxe attacks have taken place on iPhones, but the attackers have had to social engineer the victim into allowing remote access management on the device.

It is unclear if multi-factor authentication would be effective in stopping the trojan malware, as once installed it generally has unfettered access to the device (to include intercepting SMS and email codes). Standard anti-phishing advice does seem to apply here, however; no following links from messages or emails without verifying with the sender, and having high suspicion of any unsolicited phone calls that appear to come from government agencies or companies. The fact that pensioners were targeted would indicate that the attackers are selecting older victims that may not be as familiar with cybersecurity fundamentals.

The threat actor has been at their mobile banking scams since at least mid-2023, but GoldPickaxe’s facial data capabilities are a fairly new development. While the facial data held by a phone’s operating system is encrypted and anonymized in such a way that it would be extremely difficult to obtain even with total compromise of the device, this incident demonstrates that bank security is not nearly at the same level and that attackers can find multiple workarounds to access victim finances.

Recent Posts

How can we help?

9 + 1 =

× How can I help you?