Banking Trojan Harvests Facial Biometrics for AI Deepfakes

A Chinese-speaking cybercrime group specializing in financial fraud continues to expand the functionality and reach of its advanced banking Trojans, which it’s now using to collect and steal biometric data, researchers warned.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Cybersecurity firm Group-IB, in a report released Thursday, said the gang – with the codename GoldFactory – has developed a new Trojan, dubbed GoldPickaxe, that comes in Android and iOS variants designed to harvest personal information, including biometric face profiles, from mobile devices.

“To exploit the stolen biometric data, the threat actor utilizes AI-driven face-swapping services to create deepfakes,” swapping their own face for the victim’s, Group-IB said. “This data, combined with ID documents and the ability to intercept SMS, enables cybercriminals to gain unauthorized access to the victim’s banking account.”

The GoldPickaxe banking Trojan appears to be disguised as one of nearly two dozen legitimate apps, such as a government “Digital Pension” app, and can steal photos being stored on the device as well as request information from users during a purported onboarding process, the researchers said. The app requests information such as the victim’s name and phone number and then prompts the victim to photograph both sides of an official identity card, which allows the app to take pictures of their face. It then uploads all the pictures to an attacker-controlled cloud bucket.

“When recording a video of their faces, a few instructions will be given such as to blink, smile, face left, face right, nod down, up, and to open mouth,” Group-IB said. “This approach is commonly used to create a comprehensive facial biometric profile. These videos and pictures are uploaded to the cloud bucket.”

Because Apple iOS blocks the installation of unapproved apps, the attackers try to socially engineer victims into installing their malware either via Apple’s online TestFlight service for beta-testing apps or by allowing their device to be enrolled in an attacker-controlled mobile device management program, which can be used to automatically distribute apps to devices.

So far, the attackers appear to be using GoldPickaxe exclusively against Thai targets. “In our assessment, it appears imminent that GoldPickaxe will soon reach Vietnam’s shores, while its techniques and functionality will be actively incorporated into malware targeting other regions,” said Andrey Polovinkin, a Group-IB malware analyst. “The discovery of a sophisticated iOS Trojan highlights the evolving nature of cyber threats targeting the Asia-Pacific region.”

The move to steal information that can be used to fool biometric security checks follows the Bank of Thailand in March 2023 ordering the country’s banks to comply with new mobile banking security requirements. In part, the central bank now requires banks to use biometric authentication whenever someone attempts to open a new bank account or whenever customers attempt to make a digital money transfer worth more than 50,000 baht – $1,380 – per transaction or to change their daily transfer limit to be more than 50,000 baht.

GoldFactory’s attacks date from at least June 2023. Group-IB said that’s when it first detected a Trojan app with the codename GoldDigger being used to infect Android smartphones. The app targeted over 50 Vietnamese financial apps, e-wallets and cryptocurrency applications. The Trojan was being distributed via phishing emails and spam SMS messages disguised to appear as if they had come from legitimate sources.

Since then, the researchers said, the attackers have expanded their targeting to include Thailand and continued to refine their Android malware – adding new strains dubbed GoldDiggerPlus and GoldKefu. They also have developed a version of GoldPickaxe that targets Thailand, which comes in both Android and iOS variants and may be a much more sophisticated version of GoldDigger. The security firm’s use of “gold” in the names of the malware strains signals that they all trace back to the same group.

GoldFactory’s code overlaps with a different type of malware, dubbed Gigabud, which since 2022 has targeted users of about 100 financial institutions located in Thailand and Vietnam, as well as Indonesia, the Philippines and Peru, Group-IB said. Whether or not Gigabud and GoldFactory are directly connected remains unclear.

Group-IB’s Polovinkin said there has been a surge in the use of mobile banking Trojans against victims in the Asia-Pacific region and that much if not all of this activity traces to GoldFactory. “The gang has well-defined processes and operational maturity and constantly enhances its tool set to align with the targeted environment, showcasing a high proficiency in malware development,” he said.