Chinese hackers use deepfakes in advanced malware attacks on mobile banking

Mobile Banking Malware Attacks

A Chinese-speaking threat actor codenamed GoldFactory is attributed to the development of highly sophisticated banking Trojans, including a previously undocumented iOS malware called GoldPickaxe that is capable of collecting identity documents, facial recognition data, and intercepting text messages.

“The GoldPickaxe family is available for both iOS and Android platforms,” says Singapore-based Group-IB said in an extensive report shared with The Hacker News. “GoldFactory is considered a well-organized Chinese-speaking cybercrime group with close ties to Gigabud.”

GoldFactory has been active since at least mid-2023 and is also responsible for another Android-based banking malware called GoldDigger and its enhanced variant GoldDiggerPlus, as well as GoldKefu, an embedded trojan in GoldDiggerPlus.

Social engineering campaigns spreading the malware have been found to target the Asia-Pacific region, particularly Thailand and Vietnam, by impersonating local banks and government organizations.

In these attacks, potential victims are sent smishing and phishing messages and guided to switch the conversation to instant messaging apps such as LINE, before sending fake URLs that lead to the deployment of GoldPickaxe on the devices.

Some of these malicious apps targeting Android are hosted on fake websites resembling Google Play Store pages or fake company websites to complete the installation process.

However, GoldPickaxe for iOS uses a different distribution scheme, with successive iterations using Apple’s TestFlight platform and booby-trapped URLs that ask users to download a Mobile Device Management (MDM) profile to gain full control over the iOS devices. and install the rogue app. .

Both distribution mechanisms were revealed by the Thailand Banking Sector CERT (TB CERT) and the Cyber ​​Crime Investigation Bureau (CCIB), respectively in November 2023.

Mobile banking malware attacks

GoldPickaxe’s sophistication is also evident from the fact that it is designed to bypass security measures imposed by Thailand, requiring users to confirm larger transactions using facial recognition to prevent fraud.

“GoldPickaxe asks the victim to record a video as a confirmation method in the fake application,” said security researchers Andrey Polovinkin and Sharmine Low. “The recorded video is then used as raw material for creating deepfake videos, powered by face-swapping artificial intelligence services.”

Additionally, the Android and iOS versions of the malware are equipped to collect the victim’s identity documents and photos, intercept incoming text messages, and proxy traffic through the infected device. It is suspected that the GoldFactory actors use their own devices to log into the banking application and make unauthorized fund transfers.

Mobile banking malware attacks

That said, the iOS variant exhibits fewer functionalities compared to its Android counterpart due to the closed nature of the iOS operating system and the relatively stricter nature of iOS permissions.

The Android version – considered an evolutionary successor to GoldDiggerPlus – also masquerades as more than twenty different applications from the Thai government, financial industry and utilities to steal credentials to these services. However, it is currently unclear what the threat actors do with this information.

Another notable aspect of the malware is its misuse of Android’s accessibility services to record keystrokes and extract content on the screen.

Mobile banking malware attacks

GoldDigger also shares code-level similarities with GoldPickaxe, although it is primarily designed to steal banking information, while the latter is more focused on collecting personal information from victims. So far, no GoldDigger artifacts targeting iOS devices have been identified.

“The main feature of GoldDigger is that it targets more than 50 applications of Vietnamese financial companies, including the names of their packages in the Trojan,” the researchers said. “Every time the targeted applications are opened, the text displayed or written on the user interface, including passwords, is saved as they are entered.”

The base version of GoldDigger, which was first discovered in June 2023 and is still in circulation, has since paved the way for more upgraded variants, including GoldDiggerPlus, which comes with another trojan APK component called GoldKefu, to destroy the malicious to unleash actions. .

GoldDiggerPlus is said to have originated in September 2023, with GoldKefu posing as a popular Vietnamese messaging app to siphon banking information from ten financial institutions.

Goldkefu also integrates with the Agora Software Development Kit (SDK) to enable interactive voice and video calls and trick victims into contacting a fake bank customer service center by sending fake alerts that create a false sense of urgency by claiming that a money transfer worth 3 million Thai Baht in their accounts has taken place.

Mobile banking malware attacks

If anything, the development is a sign that the mobile malware landscape remains a lucrative market for cybercriminals looking for quick financial gain, even as they find ways to circumvent banks’ defensive measures to counter such threats. It also demonstrates the ever-changing and dynamic nature of social engineering schemes aimed at planting malware on victims’ devices.

To limit the risks posed by GoldFactory and its suite of mobile banking malware, it is strongly recommended not to click on suspicious links, not to install apps from untrustworthy sites as they are a common vector for malware, and to periodically clear permissions check given to apps. especially those who request Android’s accessibility services.

“GoldFactory is a resourceful team adept at a variety of tactics including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection,” the researchers said. “The team consists of separate development and operator groups focused on specific regions.”

“The gang has well-defined processes and operational maturity and continuously improves its toolset to adapt to the target environment, demonstrating high proficiency in malware development.”

#Chinese #hackers #deepfakes #advanced #malware #attacks #mobile #banking

Notify of
Inline Feedbacks
View all comments
Previous Post
Major SaaS Vulnerabilities

New research exposes major SaaS vulnerabilities

Next Post
Critical Exchange Server Flaw

Critical Exchange Server error (CVE-2024-21410) under active exploitation

Related Posts