GoldFactory, a threat actor known for developing sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe, has been attributed to a Chinese-speaking cybercrime group with close connections to Gigabud. The GoldPickaxe family targets both iOS and Android platforms and is capable of harvesting identity documents, facial recognition data, and intercepting SMS messages.
GoldFactory is also responsible for other Android-based banking malware known as GoldDigger and its enhanced variant GoldDiggerPlus, as well as GoldKefu, an embedded trojan inside GoldDiggerPlus. These malicious apps have been distributed through social engineering campaigns targeting the Asia-Pacific region, specifically Thailand and Vietnam.
The distribution methods employed by GoldPickaxe for iOS and Android platforms are quite sophisticated. For iOS, it leverages Apple’s TestFlight platform and booby-trapped URLs, while for Android, the malicious apps are hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites.
One notable aspect of GoldPickaxe is its ability to bypass security measures imposed by Thailand that require users to confirm larger transactions using facial recognition. The malware prompts the victim to record a video as a confirmation method in the fake application, which is then used to create deepfake videos facilitated by face-swapping artificial intelligence services.
GoldPickaxe for iOS and Android is also designed to collect the victim’s ID documents and photos, intercept incoming SMS messages, and proxy traffic through the compromised device. It is suspected that GoldFactory actors use their own devices to perform unauthorized fund transfers.
The Android version of GoldPickaxe poses as over 20 different applications from Thailand’s government, the financial sector, and utility companies to steal login credentials from these services. It also abuses Android’s accessibility services to log keystrokes and extract on-screen content.
To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it is strongly advised not to click on suspicious links or install apps from untrusted sites. Additionally, users should periodically review the permissions given to apps, particularly those requesting for Android’s accessibility services.
GoldFactory is a resourceful cybercrime group adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection. The group comprises separate development and operator groups dedicated to specific regions and constantly enhances its toolset to align with the targeted environment, showcasing a high proficiency in malware development.