iOS and Android users face scans used to break into bank accounts


GoldPickaxe and GoldPickaxe.iOS target Android and iOS respectively, tricking users into performing biometric verification checks that are ultimately used to bypass the same checks employed by legitimate banking apps in Vietnam and Thailand – the geographic focus of these ongoing attacks.

The iOS version is believed only to be targeting users in Thailand, masquerading as the Thai government’s official digital pensions app. That said, some think it has also made its way to Vietnam. This is because very similar attacks, which led to the theft of tens of thousands of dollars, were reported in the region earlier this month.

“It is of note that GoldPickaxe.iOS is the first iOS Trojan observed by Group-IB that combines the following functionalities: collecting victims’ biometric data, ID documents, intercepting SMS, and proxying traffic through the victims’ devices,” the researchers said.

“Its Android sibling has even more functionalities than its iOS counterpart, due to more restrictions and the closed nature of iOS.”


Researchers also found the Android version bore many more disguises than the iOS version – taking the form of more than 20 different government, finance, and utility organizations in Thailand, and allowing attackers to steal credentials for all of these services.

How’d they get on Apple phones?

In the case of iOS, the attackers had to be cunning. Their first method involved the abuse of Apple’s TestFlight platform, which allows apps to be distributed as betas before full release to the App Store.

After this method was stymied, attackers switched to more sophisticated social engineering. This involved influencing users to enroll their devices in an MDM program, allowing the attackers to push bad apps to devices that way.

In all cases, the initial contact with victims was made by the attackers impersonating government authorities on the LINE messaging app, one of the region’s most popular.


Once the biometrics scans were captured, attackers then used these scans, along with deepfake software, to generate models of the victim’s face.

Attackers would download the target banking app onto their own devices and use the deepfake models, along with the stolen identity documents and intercepted SMS messages, to remotely break into victims’ banks.


Facial biometrics were only mandated in Thailand last year, with plans first announced in March with an enforcement date set for July. Vietnam is poised to mandate similar controls by April this year.

From July 2023, all Thai banking apps had to comply with the new initiative and replace one-time passcodes with facial biometrics to decrease the threat of financial fraud in the region. This applied specifically to transactions exceeding 50,000 BAT (roughly $1,400).


Source: Stolen iOS users face scans used to break into bank accounts

Which goes to show – biometrics are unchangeable and so make for a really bad (and potentially dangerous, if people are inclinded to amputate parts of your anatomy) security pass.

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft