Group-IB Discovers First-Ever iOS Trojan: GoldDigger Steals Facial Recognition Data
A new iOS Trojan has been uncovered by cybersecurity firm Group-IB, marking the first instance of such malware targeting Apple’s operating system. Dubbed GoldDigger, the Trojan steals facial recognition data for malicious purposes, including unauthorized access to bank accounts. This discovery is particularly concerning as some Asian countries, like Thailand and Vietnam, have plans to implement facial biometric verification for banking transactions in the near future.
GoldDigger is derived from an Android Trojan called GoldDigger, which targeted over 50 financial institutions in Vietnam last October. Group-IB has been actively tracking a series of aggressive banking Trojans in the Asia-Pacific region. The malware is capable of evolving its capabilities and evading detection, making it a significant threat.
The Trojan, known as GoldPickaxe.iOS, originated from the same family as the Android-based GoldDigger, which was first launched in June 2023. Subsequently, variants such as GoldDiggerPlus and GoldKefu emerged. In October, the malware expanded its reach to iOS devices, highlighting the growing sophistication of cybercriminals.
GoldDigger not only collects facial recognition data but also intercepts SMS messages, enabling it to gather personal information and confirmation texts used to authenticate logins and make account changes. This data can potentially be exploited by malicious actors, who can create deepfake content using AI-powered face-swapping technology.
The Trojan was discovered on TestFlight, Apple’s mobile app testing platform, but was swiftly removed. The cybercriminal behind the malware, referred to as GoldFactory, then engaged in a complex social engineering scheme to persuade users to install a Mobile Device Management profile. By doing so, the malware gains full control over the infected device. Group-IB suspects GoldFactory may be associated with a cybercrime group known as Gigabud.
Currently, Group-IB advises iOS users in Vietnam and Thailand to exercise caution and change their passwords if they suspect any suspicious downloads. However, there is a possibility that the malware has already spread to other regions. A new variant called GoldDiggerPlus has also been identified, which allows threat actors to convincingly pose as legitimate customer service representatives to deceive their targets.
To protect themselves, users are advised to be vigilant when downloading any files or applications and to regularly change their security questions and passwords, ensuring they do not reuse them. If contacted by someone claiming to be a company representative, it is recommended to hang up and independently verify the legitimacy of the call before providing any information.
As the threat of malware continues to evolve, it is crucial for individuals to stay informed and take necessary precautions to safeguard their personal and financial information. By remaining cautious and proactive, users can minimize the risk of falling victim to such malicious attacks.
