Other factoids about GoldPickaxe.iOS include the following:

    • Initially leveraging Apple’s mobile application testing platform TestFlight, the threat actors behind the trojan had shifted to a more advanced approach — by not exploiting any system vulnerabilities. Instead, GoldFactory employs a multi-stage social engineering scheme to manipulate victims into granting all the necessary permissions, enabling the installation of malware.
    • Victims were persuaded to install a ‘Mobile Device Management profile’ granting the threat actor complete control over their devices. Such profiles offer a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and gain the information they need.
    • GoldPickaxe does not directly steal money from within the victims’ phones. Instead, the trojan collects all the necessary information from the victim to create video deepfakes and autonomously accesses the victim’s banking application(s), where facial recognition is a common feature in Thailand’s financial apps. The trojan possesses the capability to prompt victims to scan their faces and submit ID photos. However, researchers have not observed any documented cases of cybercriminals utilizing this stolen data to gain unauthorized access to victims’ bank accounts in the wild.
    • This may imply that the cybercriminals are using their own (Android) devices to log into victims’ bank accounts. The Thai police has confirmed this assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks and carry out unauthorized activities.
    • An advanced variant of this malware — GoldDiggerPlus was detected in September 2023 to contain an embedded second trojan inside named GoldKefu (“kefu” means “customer service” in Chinese and this string appears in its codes recurrently).
    • In contrast with GoldDigger which relies on the Accessibility Service, GoldDiggerPlus and GoldKefu have used web fakes impersonating 10 Vietnamese banks to collect banking credentials. GoldKefu checks if the most recently opened application on the infected device belongs to the list of targeted banking apps: if a match is found, a fake overlay login page that mimics a legitimate application will be launched instead. GoldKefu also allows cybercriminals to send victims fake alerts and make phone calls to them in real time. When the victim clicks on the fake “contact customer service” button, GoldKefu checks if the current time falls within the working hours of the cybercriminals. If it does, the malware will try to find a free operator to call through. It is therefore surmised that GoldFactory engages operators proficient in Thai and Vietnamese or even possibly runs call centers operations.
    • There are similarities between this threat actor group’s malware with Gigabud — a disruptive banking trojan targeting Thailand, Vietnam and some countries in Latin America. However, there is not enough evidence to attribute the initial development of Gigabud to GoldFactory at this point.