Banking Trojan Harvests Facial Biometrics for AI Deepfakes

GoldPickaxe Malware Can Record User’s Face, Gather Video Used in Deepfake Crimes

A Chinese-speaking cybercrime group, identified as GoldFactory, is expanding the functionality and reach of its advanced banking Trojans. These Trojans are now collecting and stealing biometric data.

Cybersecurity firm Group-IB recently released a report saying that GoldFactory has developed a new Trojan, dubbed GoldPickaxe, that comes in Android and iOS variants designed to harvest personal information, including biometric face profiles, from mobile devices.

“To exploit the stolen biometric data, the threat actor utilizes AI-driven face-swapping services to create deepfakes,” swapping their own face for the victim’s, Group-IB said. “This data, combined with ID documents and the ability to intercept SMS, enables cybercriminals to gain unauthorized access to the victim’s banking account.”

The GoldPickaxe banking Trojan appears to be disguised as one of nearly two dozen legitimate apps and can steal photos being stored on the device as well as request information from users during a purported onboarding process, the researchers said. The app requests information such as the victim’s name and phone number and then prompts the victim to photograph both sides of an official identity card, which allows the app to take pictures of their face. It then uploads all the pictures to an attacker-controlled cloud bucket.

So far, the attackers appear to be concentrating on East Asia, but researchers warn that the group’s reach appears to be expanding. There has been a surge in the use of mobile banking Trojans in East Asia dating back to June 2023, with a significant chunk being attributed to GoldFactory.

The evolution of AI-based technologies will continue to put pressure on banking security practices across the globe. Threats that are affecting one region will likely jump to others as new tactics are proven and disseminated.

If you have questions about IT security and how evolving cyberthreats affect your bank, call ITPAC today.