FB pixel

Cybercriminals use malware to obtain face biometrics, break into banking apps

Cybercriminals use malware to obtain face biometrics, break into banking apps
 

Chinese cybercrime group GoldFactory is creating malware to attack Android and iOS that steals face biometrics and uses them to break into bank accounts of the victim, according to The Register.

The group started releasing trojanized smartphone apps in June 2023. The first version, GoldDigger, focused on getting banking credentials. The latest version, GoldPickaxe or GoldPickaxe.iOS for Android and iOS, first appeared in October of that same year. It captures data used for identity verification, including face biometrics.

Bleeping Computer says that Group-IB, a team of researchers investigating the attacks, believes cybercriminals harvest biometric data that users provide for verification in the apps, then use it to log into accounts on legitimate banking apps in Vietnam and Thailand.

The iOS version is currently only known to be posing as the official digital pensions app for Thailand, though some believe it has also entered Vietnam. The Android version presented itself in the form of over 20 different government and finance related apps in Thailand.Android malware is more common due to sideloading capabilities. But the iOS app is more surprising, as Apple’s platform is recognized as more secure.

The iOS version leveraged Apple’s TestFlight platform, meant to distribute beta apps. Once Apple removed TestFlight, cybercriminals instead convinced iOS users to enroll their phones into a mobile device management program.

Initial contact was made with the victims by fraudsters posing as government authorities through the LINE messaging app, claiming to offer things such as pension benefits.

Victims were directed to download GoldPickaxe, where they shared face scans, which were then used to generate deepfake versions of their biometrics. Using a combination of deepfakes, stolen identity documents, and intercepted SMS messages, attackers gained access to victims’ bank accounts.

Thai banking apps have been required to replace one-time passcodes with face biometrics for transactions exceeding 50,000 BAT (roughly US$1,400) since the summer of 2023.

While GoldPickaxe can steal biometrics through social engineering, it is not hijacking Face ID or Android biometric data or exploiting any operating system vulnerabilities. Biometric data stored on devices remains secure and isolated from running apps.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

Reflections on the Global Digital Public Infrastructure summit 2024

The Global Digital Public Infrastructure (DPI) summit 2024 has drawn attention to the transformative power of DPI in driving digital…

 

Binding physical and digital worlds with biometrics key to decentralized ID

Stakeholders in New Zealand’s digital identity ecosystem addressed the evolution of identity systems, particularly focusing on decentralized identity and biometrics…

 

Swedish police want to fight crime with live facial recognition

The Swedish police want to use facial recognition in real time to crack down on serious crimes. Government investigators have…

 

Biometrics cycle from innovations to scale-up opportunities

Biometrics integrations range from the experimental to the everyday in the most-read articles of the week on Biometric Update. Yesterday’s…

 

US Justice developing AI use guidelines for law enforcement, civil rights

The US Department of Justice (DOJ) continues to advance draft guidelines for the use of AI and biometric tools like…

 

Airport authorities expand biometrics deployments with Thales, Idemia tech

Biometric deployments involving Thales, Idemia and Vision-Box, alongside agencies like the TSA,  highlight the aviation industry’s commitment to streamlining operations….

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events