NEWS: Deepfake Technology Powers Advanced Malware Attacks on Mobile Banking

February 20, 2024


Identification of Cyber Threat Actor GoldFactory and its Advanced Banking Trojans


GoldFactory, a cybercrime group that communicates in Chinese, has been identified as the creators of advanced banking trojans. This includes a previously unknown iOS malware named GoldPickaxe, which is designed to collect identity documents, facial recognition data, and intercept SMS messages. According to a detailed report by Group-IB, a Singapore-based cybersecurity firm, the GoldPickaxe family of malware is operational on both iOS and Android platforms. It is believed that GoldFactory maintains strong ties with Gigabud, another cybercrime organization.


Since its inception in mid-2023, GoldFactory has been linked to the creation of other Android-based banking malware. These include GoldDigger and its advanced version GoldDiggerPlus, which incorporates an embedded trojan known as GoldKefu.


Targeted Social Engineering Campaigns in Asia-Pacific


The malware created by GoldFactory has been distributed through social engineering campaigns, primarily aimed at the Asia-Pacific region. Thailand and Vietnam have been specifically targeted, with the malware disguising itself as local banks and government organizations. In these campaigns, potential victims receive phishing and smishing messages that direct them to switch to instant messaging applications like LINE. They are then sent fraudulent URLs that install GoldPickaxe on their devices.


Some of the malicious Android applications are hosted on fake websites designed to mimic the Google Play Store or corporate websites, thus facilitating the installation process.


iOS Distribution Scheme and Sophisticated Evasion Techniques


The iOS version of GoldPickaxe utilizes a different distribution method. It employs successive versions that take advantage of Apple’s TestFlight platform and malicious URLs. These URLs prompt users to download a Mobile Device Management (MDM) profile, which provides complete control over the iOS device and enables the installation of the rogue app.


The Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB) uncovered these propagation techniques in November 2023.


GoldPickaxe also showcases its sophistication by circumventing security measures implemented by Thailand. These measures necessitate users to verify large transactions using facial recognition to deter fraudulent activities.


Deepfake Videos and Unauthorized Fund Transfers


Security researchers Andrey Polovinkin and Sharmine Low explain that GoldPickaxe tricks victims into recording a video as a confirmation method in the fake application. This recorded video is then utilized as a source for creating deepfake videos using face-swapping artificial intelligence services.


Both the Android and iOS versions of the malware are capable of collecting victims’ ID documents and photos, intercepting incoming SMS messages, and routing traffic through the compromised device. It is believed that GoldFactory actors use their own devices to log into the banking application and execute unauthorized fund transfers.


Comparing the Functionality of iOS and Android Variants


The iOS variant of GoldPickaxe has fewer functionalities compared to its Android counterpart. This is largely due to the closed nature of the iOS operating system and its relatively stricter permissions.


The Android version, considered an evolved version of GoldDiggerPlus, disguises itself as over 20 different applications from Thailand’s government, financial sector, and utility companies. Its main aim is to steal login credentials from these services. However, the exact use of this stolen information by the threat actors remains unclear.


Abuse of Android’s Accessibility Services and Code-Level Similarities


A noteworthy feature of the malware is its exploitation of Android’s accessibility services to log keystrokes and extract content displayed on the screen.


GoldDigger shares code-level similarities with GoldPickaxe, although it is primarily designed to steal banking credentials, while GoldPickaxe is more focused on collecting personal information from victims. To date, no GoldDigger artifacts aimed at iOS devices have been discovered.


Targeting Vietnamese Financial Companies


“The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages’ names in the trojan,” the researchers said. “Whenever the targeted applications open, it will…


Unveiling the GoldDigger Malware and its Evolution


GoldDigger, a base version of a malicious software, was first identified in June 2023. Even though it continues to circulate in the digital space, it has given rise to more advanced versions, including GoldDiggerPlus. This upgraded variant is embedded with an additional Trojan APK component known as GoldKefu, which triggers the malicious activities.


Introduction to GoldDiggerPlus and GoldKefu


GoldDiggerPlus made its first appearance in September 2023. GoldKefu, on the other hand, masquerades as a widely used Vietnamese messaging application to extract banking information from ten different financial institutions. Unlike GoldDigger, which primarily relies on Android’s accessibility services, the Android Trojan, used in combination with GoldKefu, leverages fake overlays to gather login details if the most recently opened application is on the target list.


GoldKefu’s Integration with Agora SDK


GoldKefu also collaborates with the Agora Software Development Kit (SDK) to enable interactive voice and video calls. It deceives victims into reaching out to a fake bank customer service by sending counterfeit alerts. These alerts create an artificial urgency by falsely claiming that a fund transfer of 3 million Thai Baht has occurred in their accounts.


The Lucrative Mobile Malware Landscape


This development is indicative of the mobile malware landscape’s lucrative nature for cybercriminals seeking quick financial gain. These criminals continuously devise methods to bypass the defensive strategies implemented by banks to combat such threats. It also highlights the continuously evolving and dynamic nature of social engineering schemes designed to deliver malware to victims’ devices.


Mitigating Risks Posed


To reduce the risks posed by GoldFactory and its mobile banking malware suite, it is strongly recommended to avoid clicking on suspicious links and installing apps from untrusted sites. These sites are a common source of malware. Regularly reviewing the permissions granted to apps, especially those that request Android’s accessibility services, is also advised.


The Resourcefulness of the GoldFactory Team


The GoldFactory team is skilled in various tactics, including impersonation, accessibility keylogging, creating fake banking websites, sending fake bank alerts, creating fake call screens, and collecting identity and facial recognition data. The team is divided into separate development and operator groups, each dedicated to specific regions.


The Operational Maturity of the Gang


The gang has well-established processes and operational maturity. They continuously enhance their toolkit to match the targeted environment, demonstrating a high level of expertise in malware development.