Those initiated in cybersecurity know that iOS, the operating system at the heart of the iPhone, has a long-standing track record of being nearly immune to classic malware. Apple has achieved such a status quo by limiting its mobile ecosystem to rigorously vetted software, mediating apps’ access to user information, baking security right into silicon, and capitalizing on data encryption.
Yet, a recent discovery has shaken this confidence as the first-ever banking trojan tailored for iOS devices has surfaced, posing a significant threat to users’ financial security and privacy. Named GoldPickaxe, this strain of harmful code represents a mutation of Android malware GoldDigger that was originally detected in October 2023. This insidious lineage has evolved with enhanced capabilities and now zeroes in on Android and iOS devices alike.
Modus operandi of GoldPickaxe
First documented by cybersecurity company Group-IB, the latest spin-off of this trojan furtively harvests sensitive data after infiltrating a victim’s iPhone. The information at risk includes facial recognition details and identity documents, with text messages interception features stretching the culprit’s info-stealing potential.
This treasure trove of personal data then becomes a stepping stone to obtaining fraudulent access to mobile banking and financial applications. To top it off, the stolen biometrics are mishandled to generate AI deepfakes, enabling threat actors to impersonate victims and gain unauthorized entry into their bank accounts. The aftermath can be as disastrous as draining the person’s funds without conspicuous giveaways. That being said, the trojan appears to truly live up to its name, from its masters’ perspective.
The only silver lining in this unsettling story is that the impact of GoldPickaxe is currently localized to Vietnam and Thailand. However, its limited geo-scope doesn’t diminish a potential for widespread harm. As is often the case with malware campaigns, successful exploitation encourages malefactors to expand their operations geographically. What researchers are witnessing could be a test run before broader deployment in both the iOS and Android environments across English-speaking regions such as the United States and Canada.
Evolving distribution methods
The propagation strategy of GoldPickaxe showcases the adaptability of the crooks’ tactics, techniques, and procedures (TTPs), particularly in bypassing the entry barriers to Apple’s stringent app territory. First making the rounds via the tech behemoth’s mobile application testing platform, TestFlight, the pest gained initial momentum. This type of abuse couldn’t fly under the radar for long, and predictably, the sketchy program ended up being removed from TestFlight.
This didn’t stop the campaign in its tracks, though, as its operators shifted towards using social engineering techniques to brainwash users into installing rogue Mobile Device Management (MDM) profiles. On a side note, MDM is a legitimate service used in enterprise networks to hold sway over their mobile environments in a centralized manner. Unsurprisingly, the supervision features under its hood can play into perpetrators’ hands if the victim falls for their fraudulent scheme that involves a series of fraudulent websites. Once in effect, such profiles grant hackers control over compromised devices, thereby amplifying the magnitude of the menace.
Attributed to a threat actor known as GoldFactory, the creation and distribution of GoldPickaxe and its derivatives underscore the lucrative nature of e-crime targeting financial digital services. Recent developments also indicate the emergence of a variant dubbed GoldDiggerPlus that takes the damage a step further by being able to make voice calls to those infected in real time. It’s noteworthy that GoldPickaxe and GoldDiggerPlus share a tactic of exfiltrating the collected data to Alibaba cloud storage.
How to stay safe from the likes of GoldPickaxe
An iOS-focused stratagem as headline-grabbing and impactful as this one is probably already on Apple engineers’ radar. Before a fix is out, users should take immediate steps to fortify their defenses proactively, and the mitigation measures stem from the peculiarities of GoldPickaxe propagation.
First off, avoid installing apps through the TestFlight platform unless you know the developer well. This campaign has demonstrated that the stuff you can download from Apple’s official App Store appears to undergo more scrupulous checks than those available via the code testing software in question. Second, only add MDM profiles if your employer requires it for a company-issued smartphone.
Finally, an overarching tip is to stay vigilant. Nurture your personal security awareness to identify and steer clear of social engineering, phishing, and other scams. The story of GoldPickaxe has shown that even such a sophisticated infection chain relies on user action at a certain stage; therefore, it’s imperative to be reasonably paranoid about recommendations from strangers.
This stealthy trojan really broke new ground and might trailblaze similar outbreaks going forward, so it’s time for iPhone users to ramp up their security IQ. Moreover, Apple’s walled garden philosophy is not immaculate, so the onus is on the average user to keep their devices safe.