First iOS Trojan discovered harvesting facial recognition data for bank fraud

Cybersecurity firm Group-IB has recently discovered the first iOS Trojan designed to harvest facial recognition data for unauthorized bank account access. This discovery follows a report published by Group-IB researchers in October 2023, revealing an Android Trojan named GoldDigger, which targeted over 50 financial institutions in Vietnam.

The newly discovered mobile Trojan, named GoldPickaxe.iOS by Group-IB, is an extremely rare find, specifically targeting iOS users. GoldPickaxe.iOS is part of the GoldPickaxe family, which includes versions for both iOS and Android, and is based on the GoldDigger Android Trojan. The GoldPickaxe family is regularly updated to improve capabilities and evade detection.

GoldPickaxe.iOS has the ability to collect facial recognition data, identity documents, and intercept SMS. The threat actor uses AI-driven face-swapping services to create deepfakes with the stolen biometric data. This, combined with the intercepted identity documents and SMS, allows cybercriminals to gain unauthorized access to victims' bank accounts, introducing a new method of monetary theft.

The distribution scheme of GoldPickaxe.iOS is particularly noteworthy. Initially, the threat actor used Apple’s mobile application testing platform, TestFlight, to distribute the malware. However, after the malicious app was removed from TestFlight, the threat actor developed a more sophisticated strategy. They used a multi-stage social engineering scheme to convince victims to install a Mobile Device Management (MDM) profile, giving the threat actor complete control over the victim’s device.

The primary targets of this harmful behavior seem to be situated in the Asia-Pacific region; however, its reach might not be confined to this location. The existence of malware targeting iPhones is now a reality, yet by maintaining vigilant online habits and avoiding needless hazards, you and your devices should remain secure against cyber threats.