AI in the wrong hands: New iOS Trojan challenges face recognition

A trend that is expected to grow this year is threat actors adapting Android-based techniques to iOS devices. A recent discovery by Group-IB experts illustrates this trend. They uncovered the first iOS Trojan that harvests facial recognition data, and it is merely a modified version of the Android Trojan GoldDigger but with new capabilities. We asked Andrey Polovinkin and Sharmine Low, Malware Analysts within Group-B’s Threat Intelligence team, to answer some key questions about their discovery:

In short, what happened?

In March 2023, the Bank of Thailand instructed banks to use facial biometric verification instead of OTPs to confirm their customers’ identity when making transactions. Cybercriminals saw it as an opportunity and ever since then they have been researching, conceptualizing, implementing, and testing a new fraud scheme.

One of the first threat actors to capitalize on the changes was GoldFactory, the group uncovered by Group-IB. In October 2023, we identified the malware they had created: a new tool targeting iOS, dubbed GoldPickaxe.iOS, that steals facial recognition data, photos of ID documents, and SMS messages. Cybercriminals leverage stolen data to create deepfakes by replacing their own faces with those of the victims.

The Group-IB team believes that the threat actor behind GoldPickaxe.iOS uses the deepfakes obtained to gain unauthorized access to banking apps. This is the first time that we are witnessing this technique. While Group-IB researchers have not observed documented cases of cybercriminals using stolen data to log into banking apps, our research has uncovered high-probability scenarios that were confirmed by Thai authorities.

What type of information is facial recognition data?

Facial recognition data usually consists of digital representations of facial features, which can include images, videos, or even 3D models of faces. In the case of GoldPickaxe, the Trojan used a common face recognition library to instruct users to perform verification steps such as blinking, smiling, looking left and right, nodding up and down, and opening their mouths. The threat actors recorded the video from the camera in the background without the victim’s knowledge. If all requirements were met, the app would send the video to the threat actors. We believe that the resulting biometric profile is enough, when processed, to extract patterns that can then be used to impersonate real users.

Who’s behind the threat?

The tool was developed by a notorious Chinese-speaking threat group dubbed GoldFactory by Group-IB, which has been active since at least mid-2023. The tool in question is just one of the solutions in the sophisticated suite of mobile banking malware that the gang has developed. The cybercriminals are well organized and have invested significant resources in creating this malware kit. It’s important to emphasize that GoldFactory’s success rests largely on social engineering tactics. The team is made up of separate development and operator groups dedicated to specific countries.

Who is under attack?

The Trojan’s primary targets are mostly based in the Asia-Pacific region. Although our initial findings indicate a strong focus on Vietnam and Thailand, we believe that GoldFactory’s operations may expand beyond those two countries. Group-IB researchers found similarities between the gang’s Trojans and Gigabud – a disruptive banking Trojan targeting Thailand, Vietnam, and countries in Latin America. However, there is currently not enough evidence to attribute the initial development of Gigabud to GoldFactory.

How does the malware spread?

GoldFactory employed a social engineering scheme to infect victim devices. The cover stories used to lure victims included fake tax refund offers on electricity bills and fake messages from officials about additional pension benefits. The malicious applications pretended to be official government applications, so victims did not see anything suspicious. The threat actors initially abused Apple’s mobile application testing platform, TestFlight, to distribute GoldPickaxe.iOS. However, the cybercriminals soon switched to another distribution method, to trick victims into installing a Mobile Device Management (MDM) profile, which is usually used by IT departments to remotely monitor corporate mobile devices. Both approaches allowed the threat actors to infect and control devices.

Are there any confirmed victims?

News broke in February 2024 that a Vietnamese citizen had fallen victim to malware by following the application’s instructions, which included undergoing a facial recognition scan. Consequently, the cybercriminals managed to steal more than USD 40,000. Group-IB specialists do not have conclusive proof of GoldPickaxe’s presence in Vietnam, but the distinctive characteristic referenced in the news suggests that GoldPickaxe has likely made its way into the country.

What does it mean for the security of biometrics?

As our research shows, under specific circumstances biometric systems can be susceptible to sophisticated cybercriminal tactics, despite providing enhanced protection in many scenarios.

Back in 2002, a Japanese cryptographer managed to fool fingerprint sensors using gummy bears. Since then, cybercriminals have been continuously exploring methods to replicate or manipulate fingerprints and other biometric data. It is also crucial to consider the rapid development and wide availability of AI technologies, which are allowing cybercriminals to masquerade as real users, bypass biometric security measures, and gain unauthorized access to sensitive systems and data. As a result, organizations could be exposed to substantial cybersecurity risks if they become over-reliant on such technologies without having additional robust security measures in place.

It is important to acknowledge that while fingerprint and facial recognition technologies offer valuable security benefits, they are not infallible. Rather than reject these methods completely, we must carry out a balanced assessment of how they can be integrated into broader security frameworks. This means incorporating additional layers of protection and consistently refining authentication processes to mitigate the evolving threats posed by threat actors.

What do we recommend to organizations and users?

• Implement session-based monitoring systems (such as Group-IB’s Fraud Protection) to detect malware and block anomalous sessions before the user is tricked into entering any personal information.
• Do not click on suspicious links. Mobile malware is often spread through malicious links in emails, text messages, and social media posts.
• Download applications only from official platforms such as Google Play Store, Apple App Store, and Huawei AppGallery.
• Carefully review the requested permissions when installing a new application, and be on extreme alert when applications request Accessibility Service.
• If you believe you have fallen victim to fraud, contact your bank and request to freeze any bank accounts that can be accessed through your device.

If you would like a comprehensive description of the newly discovered tool and its indicators of compromise (cutdown), as well as a full list of recommendations, read the detailed blog post at the link.