Hackers steal faces to create deepfakes and empty bank accounts

EXECUTIVE SUMMARY:

A new form of mobile malware is designed to harvest personal information, including facial biometric data, which hackers then process for the purpose of generating deepfakes. Once the deepfakes are deployed, they deceive electronic security systems, allowing hackers to break into bank accounts and disappear with the funds.

The hackers are also impersonating local bank representatives and government organizations, as this multi-part malware scheme relies on the provisioning of select verbal commands. One early victim of the scheme lost approximately $40,000, according to police.

Biometric data theft

Known as GoldPickaxe, the malware is disguised as one of roughly two dozen apps. The malware can steal photos stored on a device, request information from users during a supposed app onboarding process, and prompt people to photograph both sides of an official identity card, which allows the app to gather profile pictures. All data is then sent to an attacker-controlled cloud bucket.

Cyber security researchers believe that the Chinese-speaking threat actor group called GoldFactory is likely responsible for the malware. The group is also known for the creation of GoldDigger, GoldDiggerPlus and GoldKefu — all banking trojans.

“The gang has well-defined processes and operational maturity and constantly enhances its tool set to align with the targeted environment, showing a high proficiency in malware development,” says malware analyst Andrey Polovinkin.

Asia-Pacific risk

At present, GoldFactory predominately targets people in the Asia-Pacific region. Police have identified victims in Vietnam and Thailand.

In March of 2023, Thailand’s central bank ordered banks around the nation to comply with new mobile banking security requirements. This involves the use of biometric authentication whenever someone attempts to open a new bank account or attempts to facilitate digital financial transfers of more than 50,000 bhat. GoldPickaxe emerged three months after these security measures were implemented, seemingly in an effort to circumvent them.

Given the ubiquity of facial recognition as an access and security feature across banks, both in Asia and elsewhere, the malware threatens to become a global menace. GoldPickaxe-like malware could be adopted by other threat groups and/or incorporated into existing malware strains.

GoldPickaxe is available for both Android and iOS, which is extremely rare. In general, Apple iOS blocks the installation of unapproved apps.

In this case, attackers attempt to socially engineer victims into installing the malware — either via Apple’s online TestFlight service (for app beta-testing) or by allowing a device to be enrolled in an attacker-controlled mobile device management program.

Why this malware is effective

This malware is effective for two reasons: The first is that deepfake technology is now more sophisticated, it’s “smarter,” than biometric authentication mechanisms.

Facial recognition systems that don’t use 3D data are relatively easy to bypass using images.

The second is that the vast majority of security professionals, product developers and the general public lack awareness of the fact that deepfakes can fool biometrics-based systems.

Further thoughts

This malware remains in an active stage of evolution. Ensure that you and your organization stay up-to-date regarding the latest cyber threats. Subscribe to the CyberTalk.org newsletter here.

Lastly, for more threat intelligence insights, please download Check Point’s 2024 Security Report.