In the 1997 psychological thriller, “Face/Off,” John Travolta’s character has his face surgically swapped with Nicolas Cage’s character to find out where a bomb in Los Angeles is located. Although face transplant surgery has evolved since then, this level of accuracy and sophistication in swapping actual faces is not yet a reality. 

But, in the tech world of deepfakes, “stealing your face” is no longer a hypothetical threat.

The Android trojan GoldDigger, released in June 2023, which uses malware to steal banking credentials, has a new variation called GoldPickaxe to actually clean out users’ bank accounts. It came out in October 2023, with versions for not only Android devices but also iOS devices. 

As a surprise to many but not to Verimatrix, this is not the first time that Apple’s iOS has shown traces of security vulnerabilities. While it is not easy to get malware on Apple’s App Store, it is certainly doable. However, the face recognition element of this malware is perhaps the first of its kind.

Exposing GoldPickaxe’s infiltration method

To kickstart these attacks, potential victims are sent phishing and smishing messages and persuaded to shift instant messaging conversations to apps like LINE. Then, criminals send tricky URLs that lead to the installation of GoldPickaxe on the devices. 

Once this trojan is installed on an iPhone or Android phone, it can gather facial recognition data, identity credentials, and captured text messages. Exacerbating the situation, this biometric data is then used to create AI deepfakes to pose as victims and embezzle funds from their bank accounts and other financial apps. 

There is also a new variation of the malware named GoldDiggerPlus. The “plus” means that the hackers can call their victims on an afflicted device.

Posing as government officials and utilizing the locally popular message app, LINE, have been consistent tools used to get victims to contact their perpetrators. Attacks have resulted in stolen money reaching the tens of thousands of dollars, and that’s just so far this month in Vietnam and Thailand. 

However, the threat actors’ approach has varied with different victims and diverse nationalities. Reports have shown that hackers tell prospective victims they must deploy a new app to continue receiving pension payments from the Thai Ministry of Finance or, in another example, a tax refund on energy bills. From there, victims have been swayed into downloading GoldPickaxe.

How social engineering fuels deepfake fraud

It’s worth noting that GoldPickaxe does not seize Face ID or Android biometric data or exploit any operating system weaknesses. This anonymous data transforms facial features into a mathematical replica rather than collecting actual images, which are safely saved locally on the device. 

GoldPickaxe, however, gains its data from social engineering, whereby threat actors convince their victims to install a malicious Mobile Device Management (MDM) program. The group then explores users’ personal photographs to estimate facial data, or they trick the targeted person to record and disclose a video of their faces. This allows the group to access their victims’ bank accounts, with deepfakes of the victims’ faces presented to their facial recognition systems.

Since the 2FA of devices is often unlocked using facial recognition, running on the same mobile device as, e.g., a banking app, a deepfake of the victim’s face is all an attacker needs. If attackers find the GoldPickaxe hoax to be a consistently lucrative mission, it’s just a matter of time before this malicious approach spreads further. 

Now more than ever, mobile app owners must protect themselves against such tactics. After all, if this can happen with Apple, many would assume that it can happen anywhere. These attacks are, indeed, happening in the real world, and cybercriminals can be expected to continue employing these combinations of technology and clever approaches to line their wallets.