A Chinese-speaking threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that's capable of harvesting identity documents, facial recognition data, and intercepting SMS.
"The GoldPickaxe family is available for both iOS and Android platforms," Singapore-headquartered Group-IB said in an extensive report shared with The Hacker News. "GoldFactory is believed to be a well-organized Chinese-speaking cybercrime group with close connections to Gigabud."
Active since at least mid-2023, GoldFactory is also responsible for another Android-based banking malware called GoldDigger and its enhanced variant GoldDiggerPlus as well as GoldKefu, an embedded trojan inside GoldDiggerPlus.
Social engineering campaigns distributing the malware have been found to target the Asia-Pacific region, specifically Thailand and Vietnam, by masquerading as local banks and government organizations.
In these attacks, prospective victims are sent smishing and phishing messages and guided to switch the conversation to instant messaging apps like LINE, before sending bogus URLs that lead to the deployment of GoldPickaxe on the devices.
Some of these malicious apps targeting Android are hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites to complete the installation process.
GoldPickaxe for iOS, however, employs a different distribution scheme, with successive iterations leveraging Apple's TestFlight platform and booby-trapped URLs that prompt users to download an Mobile Device Management (MDM) profile to grant complete control over the iOS devices and install the rogue app.
Both these propagation mechanisms were disclosed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB), respectively, in November 2023.
The sophistication of GoldPickaxe is also evident in the fact that it's designed to get around security measures imposed by Thailand that require users to confirm larger transactions using facial recognition to prevent fraud.
"GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application," security researchers Andrey Polovinkin and Sharmine Low said. "The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services."
Furthermore, the Android and iOS flavors of the malware are equipped to collect the victim's ID documents and photos, intercept incoming SMS messages, and proxy traffic through the compromised device. It's suspected that the GoldFactory actors use their own devices to sign-in to the bank application and perform unauthorized fund transfers.
That having said, the iOS variant exhibits fewer functionalities when compared to its Android counterpart owing to the closed nature of the iOS operating system and relatively stricter nature of iOS permissions.
The Android version – considered an evolutionary successor of GoldDiggerPlus – also poses as over 20 different applications from Thailand's government, the financial sector, and utility companies to steal login credentials from these services. However, it's currently not clear what the threat actors do with this information.
Another notable aspect of the malware is its abuse of Android's accessibility services to log keystrokes and extract on-screen content.
GoldDigger also shares code-level similarities to GoldPickaxe, although it is chiefly designed to steal banking credentials, while the latter is geared more towards gathering of personal information from victims. No GoldDigger artifacts aimed at iOS devices have been identified to date.
"The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages' names in the trojan," the researchers said. "Whenever the targeted applications open, it will save the text displayed or written on the UI, including passwords, when they are entered."
The base version of GoldDigger, which was first discovered in June 2023 and continues to be still in circulation, has since paved the way for more upgraded variants, including GoldDiggerPlus, which comes embedded with another trojan APK component dubbed GoldKefu, to unleash the malicious actions.
GoldDiggerPlus is said to have emerged in September 2023, with GoldKefu impersonating a popular Vietnamese messaging app to siphon banking credentials associated with 10 financial institutions.
The Android trojan, which is used in conjunction with GoldKefu, uses fake overlays to collect the login information if the most recently opened application belongs to the target list, unlike GoldDigger which relies mainly on Android's accessibility services.
Goldkefu also integrates with the Agora Software Development Kit (SDK) to facilitate interactive voice and video calls and trick victims into contacting a bogus bank customer service by sending fake alerts that induce a false sense of urgency by claiming that a fund transfer to the tune of 3 million Thai Baht has taken place on their accounts.
If anything, the development is a sign that the mobile malware landscape remains a lucrative market for cybercriminals looking for quick financial gain, even as they find ways to circumvent defensive measures erected by banks to counter such threats. It also demonstrates the ever-shifting and dynamic nature of social engineering schemes that aim to deliver malware to victims' devices.
To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it's strongly advised not to click on suspicious links, install any app from untrusted sites, as they are a common vector for malware, and periodically review the permissions given to apps, particularly those requesting for Android's accessibility services.
"GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection," the researchers said. "The team comprises separate development and operator groups dedicated to specific regions."
"The gang has well-defined processes and operational maturity and constantly enhances its toolset to align with the targeted environment showcasing a high proficiency in malware development."
