Thursday November 21, 2024

Advisory ID: NCC-CSIRT-200224-005

Summary: 

Group-IB researchers have uncovered a novel Android and iOS malware called 'GoldPickaxe,' which utilizes social engineering tactics to deceive users into scanning their faces and ID documents. These materials are suspected to be utilized for generating deepfakes to gain unauthorized access to banking services. The methods employed by this malware have the potential to be effective on a global scale, posing a risk of adoption by other strains of malware. 

Threat Type(s): Malware, Social Engineering, Phishing, and  Smishing  

Impact/VulnerabilityHIGH/HIGH

Product(s): Android and iOS Mobile Devices 

Platform(s): Android, iOS Operating Systems 

Version(s): All Versions.

Description: 

As per the researchers' findings, individuals targeted by the GoldPickaxe malware receive phishing or smishing messages via the LINE app, often in their native language, posing as government entities or services. These messages aim to deceive recipients into installing deceptive applications, such as a counterfeit 'Digital Pension' app, hosted on websites masquerading as Google Play. 

Once installed on a mobile device under the guise of a fraudulent government application, the malware operates semi-autonomously. It secretly performs background functions, including capturing the user's facial data, intercepting incoming SMS messages, soliciting ID documents, and rerouting network traffic through the compromised device using 'MicroSocks.' 

For iOS users, the threat actors initially directed victims to a TestFlight URL to install the malicious app, avoiding standard security reviews. Subsequently, upon Apple's removal of the TestFlight app, the attackers transitioned to convincing users into downloading a malicious Mobile Device Management (MDM) profile, granting them control over the devices. Conversely, the Android variant of the malware engages in more malicious activities compared to its iOS counterpart due to Apple's stricter security measures. Additionally, on Android devices, the malware utilizes over 20 different deceptive apps for camouflage. 

Consequences: 

GoldPickaxe malware can run commands on victims’ devices to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. .

Solution: 

  • Exercise utmost caution when installing applications, particularly those acquired from unofficial sources outside official app stores such as Google Play and the Apple App Store. 
  • Conduct thorough research on any application before installation. Validate the developer's credentials, review user feedback, and scrutinize requested permissions to verify their alignment with the app's stated functions. 
  • Maintain a healthy skepticism toward unsolicited communications claiming to originate from government agencies or service providers. 
  • Be wary of messages employing urgent threats or attracting offers to pressure recipients. 
  • Be vigilant for spelling errors, grammatical anomalies, or irregular formatting in hyperlinks before clicking on them. 
  • Use reputable mobile antivirus and anti-malware solutions, ensuring they are consistently updated. 
  • Regularly update your device's operating system and security software to mitigate vulnerabilities. 
  • Implement multi-factor authentication (MFA) for your banking applications to enhance security beyond standard password protection. 
  • Routinely monitor your bank account statements for any signs of unauthorized or suspicious activity. 

References: