{ "id": "a36220ac-8994-481f-ab55-ce6630111808", "created_at": "2026-04-06T00:09:28.858004Z", "updated_at": "2026-04-10T03:32:46.00908Z", "deleted_at": null, "sha1_hash": "bcf70f5a034fe0ae9b90be768fe730b7ec4a0ba1", "title": "We identified iOS trojan stealing facial recognition data | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249419, "plain_text": "Andrey Polovinkin\r\nTeam Lead Reverse Research, APAC\r\nSharmine Low\r\nMalware Analyst, APAC\r\nFace Off: Group-IB identifies first\r\niOS trojan stealing facial\r\nrecognition data\r\nGroup-IB uncovers the first iOS Trojan harvesting facial recognition data used for unauthorized\r\naccess to bank accounts. The GoldDigger family grows\r\nFebruary 15, 2024 · min to read · Malware Analysis\r\n← Blog\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 1 of 56\n\nGoldDigger Malware analysis Trojan\r\nIn October 2023, Group-IB researchers released a report about a previously unknown Android\r\nTrojan specifically targeting more than 50 financial institutions in Vietnam. We named it GoldDigger\r\nas there was an activity named GoldActivity contained within the APK. Following the initial discovery\r\nof the Trojan, Group-IB’s Threat Intelligence unit has been constantly monitoring this evolving\r\nthreat and unearthed an entire cluster of aggressive banking Trojans actively targeting the Asia-Pacific (APAC) region.\r\nAmong these discoveries, there is an exceptionally rare occurrence – a new sophisticated mobile\r\nTrojan specifically aimed at iOS users, dubbed GoldPickaxe.iOS by Group-IB. The GoldPickaxe\r\nfamily, which includes versions for iOS and Android, is based on the GoldDigger Android Trojan and\r\nfeatures regular updates designed to enhance their capabilities and evade detection.\r\nGoldPickaxe.iOS, Group-IB researchers found, is capable of collecting facial recognition data,\r\nidentity documents, and intercepting SMS. Its Android sibling has the same functionality but also\r\nexhibits other functionalities typical of Android Trojans. To exploit the stolen biometric data, the\r\nthreat actor utilizes AI-driven face-swapping services to create deepfakes. This data combined\r\nwith ID documents and the ability to intercept SMS, enables cybercriminals to gain unauthorized\r\naccess to the victim’s banking account – a new technique of monetary theft, previously unseen\r\nby Group-IB researchers in other fraud schemes.\r\nThe newly identified GoldPickaxe.iOS employs a notable distribution scheme. The threat actor\r\nutilized Apple’s mobile application testing platform, TestFlight, to distribute malware initially.\r\nFollowing the removal of its malicious app from TestFlight, the threat actor adopted a more\r\nsophisticated approach. They employed a multi-stage social engineering scheme to persuade\r\nvictims to install a Mobile Device Management (MDM) profile. This allowed the threat actor to\r\ngain complete control over the victim’s device.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 2 of 56\n\nThe whole threat cluster has been attributed by Group-IB to a single threat actor, codenamed\r\nGoldFactory that has developed a sophisticated suite of mobile banking malware.\r\nThe victims of this malicious activity are predominantly located in the Asia-Pacific region. While the\r\ncurrent evidence points to a particular focus on two APAC countries, there are emerging signs\r\nthat GoldFactory’s geography of operations may be extended beyond Vietnam and Thailand.\r\nGroup-IB sent notifications to the brands impersonated by GoldFactory’s Trojans.\r\nIn this blog, Group-IB researchers examine the details of the threat posed by GoldFactory and shed\r\nlight on its evolving relationship with other Android malware families, such as Gigabud. This analysis\r\nprovides valuable insights into the nature and scope of the cyber threat landscape, contributing to\r\nour ongoing efforts to improve cyber security awareness and resilience. The blog includes a Group-IB Fraud Matrix with categorized characteristics and tactics as well as relevant Indicators of\r\nCompromise (IOCs).\r\nKey findings\r\nGroup-IB’s Threat Intelligence unit discovered a previously unknown iOS Trojan\r\nGoldPickaxe.iOS that collects identity documents, SMS, and facial recognition data.\r\nThe GoldPickaxe family is available for both iOS and Android platforms.\r\nThe suite of sophisticated Trojans developed by GoldFactory has been active since mid-2023.\r\nGoldFactory is believed to be a well-organized Chinese-speaking cybercrime group with close\r\nconnections to Gigabud.\r\nSocial engineering is the primary method used to deliver malware to victims’ devices across the\r\nwhole family of GoldFactory Trojans.\r\nGoldPickaxe.iOS is distributed through Apple’s TestFlight or by social-engineering the victims\r\nto install an MDM profile.\r\nGoldPickaxe Trojans collect face profiles, ID documents, and intercept SMS. To exploit the\r\nstolen biometric data from iOS and Android users, the threat actor creates deepfakes using AI\r\nface-swapping services to replace their faces with those of the victims. This method could be\r\nused by cybercriminals to gain unauthorized access to victims’ bank accounts.\r\nVictims of Trojans developed by GoldFactory are located in Vietnam and Thailand.\r\nFollowing the publication of the initial report about GoldDigger, Group-IB’s researchers identified\r\na new variant of malware named GoldDiggerPlus.\r\nGoldDiggerPlus extends the functionality of GoldDigger and enables the threat actors to call\r\nits victims in real time.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 3 of 56\n\nIntroduction\r\nWe began our investigation into the activities of the GoldFactory group by revealing the first known\r\nversion of the GoldDigger malware, which specifically targets more than 50 applications related to\r\nbanking, e-wallets, and crypto-wallets in Vietnam.\r\nFigure 1. Malware profile of the first GoldDigger variant\r\nAs we suspect that it is a growing threat within the APAC region, we immediately alerted the Group-IB Fraud Protection team to defend our customers against the identified malware threat.\r\nIt is achieved through a specially designed APK, dubbed GoldKefu by Group-IB. When the\r\nvictim clicks on the contact customer service button fake alert, GoldKefu checks if the current\r\ntime falls within the working hours set by the cybercriminals. If it does, the malware will try to find\r\na free operator to call through. It is as though the cybercriminals are running a real customer\r\nservice center.\r\nAll the Trojans identified in this report are in the active stage of evolution.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 4 of 56\n\nFollowing the publication of the initial report in October 2023, Group-IB researchers identified a new\r\nvariant of the Trojan – GoldDiggerPlus that removed the list of targeted applications but instead\r\ncontained a reduced list of 10 web fakes in the embedded malware named GoldKefu by Group-IB.\r\nWe believe that this was done likely to hide the targeted organizations and countries, thereby\r\nincreasing the effectiveness of the criminal activity.\r\nOur previous analysis suggested that the expansion of GoldDigger would extend to other countries\r\nin the APAC region – an assumption that proved accurate. Within less than a month, Group-IB’s\r\nThreat Intelligence unit identified a new malware variant targeting iOS platform victims from\r\nThailand, subsequently named GoldPickaxe.iOS by Group-IB. Along with the iOS Trojan, the\r\nGroup-IB team identified an Android version of GoldPickaxe, named GoldPickaxe.Android.\r\nOverall, we identified four Trojan families that were used by cybercriminals. We maintained the\r\nnaming convention by using the prefix Gold for the newly discovered malware as a symbolic\r\nrepresentation that they have been developed by the same threat actor.\r\nFigure 2. Timeline depicting the evolution of GoldFactory’s Trojans\r\nThe list below provides a brief introduction to each:\r\nIn March 2023, the Bank of Thailand instructed banks to use facial biometric verification to\r\nconfirm one’s identity instead of using OTPs when making transactions of 50,000 baht\r\nGoldDigger is the classic Android banking Trojan that abuses Accessibility Service and grants\r\ncybercriminals control over the device\r\nGoldDiggerPlus is also an Android malware that extends the functionality of GoldDigger\r\nGoldKefu, an embedded Trojan inside GoldDiggerPlus, contains web fakes and enables voice\r\ncalls to be made to victims in real-time\r\nGoldPickaxe is a Trojan designed for both iOS and Android platforms. GoldPickaxe is used to\r\nharvest and exfiltrate personal information from victims as well as biometric data.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 5 of 56\n\n(approximately USD 1,430) or more; transfers of more than 200,000 baht per day; or raising the limit\r\nfor credit transfers on mobile devices to more than 50,000 baht per transaction.\r\nMost likely, GoldPickaxe has also reached Vietnam’s shores. In February 2024, news emerged that a\r\nVietnamese citizen fell victim to a malicious mobile application. The individual carried out the\r\noperations requested by the application, including performing a facial recognition scan. As a\r\nresult, cybercriminals withdrew money equivalent to more than 40,000 USD. At the moment, we do\r\nnot have any evidence of GoldPickaxe’s distribution in Vietnam. However, based on the unique\r\nfeature mentioned in the news that a facial scan is performed, coupled with the fact that\r\nGoldFactory is active in the region, we suspect that they probably have started to utilize\r\nGoldPickaxe in Vietnam. We expect more instances of GoldPickaxe to surface in Vietnam soon as\r\nthe State Bank of Vietnam (SBV) has outlined its plan to mandate the use of facial authentication as\r\na security measure for all money transfers from April 2024.\r\nFigure 3. The process of a legitimate banking transaction, authorized through biometric verification\r\nOur research has uncovered many aspects of GoldFactory’s cybercriminal activity. At this stage of\r\nthe investigation, the sale of the tools in question has not been discovered. As a result, it is difficult\r\nto say whether these malicious tools were developed exclusively for usage by only one group of\r\ncybercriminals or for further distribution within the cybercriminal underground in the future.\r\nHowever, we believe that there are many people behind the development, distribution, and theft\r\nof money, as they are highly organized. As a result, at the moment of research, we attributed all of\r\nthis activity to one group that we have dubbed GoldFactory. The focus of this report will be on the\r\ntechnical aspects and the use of tools that have been discovered in attacks against individuals.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 6 of 56\n\nFigure 4. Threat actor profile: GoldFactory\r\nFrom a click to a coin mine. Infection chain\r\nIn this section, we will look at the methods used by GoldFactory to compromise victims’ phones. The\r\nfull infection chain remains obscured as the cybercriminals are careful to remove all evidence of\r\ntheir activities. However, through a thorough examination of multiple sources, including public\r\ninformation, internal data, and the results of our investigation, we have successfully reconstructed\r\nthe infection chain.\r\nThe GoldFactory gang is using a combination of smishing and phishing techniques to carry out\r\ntheir malicious activities. Our current monitoring has successfully identified the use of GoldFactory’s\r\nmalicious tools in Vietnam and Thailand. We are highly confident that the developers are Chinese-speaking. However, there is some indication that local cybercriminals are also involved, as evidenced\r\nby instances of criminals making phone calls to victims. While there is no direct evidence of the use\r\nof the local language during these calls, speaking the local language is essential for building trust\r\nand confidence with the victim. Thus, we assume that GoldFactory might be engaging operators\r\nproficient in Thai and Vietnamese or even possibly running a call center. You can find more details\r\nabout the composition of the GoldFactory group and the language spoken by the group members\r\nin the GoldFactory’s Cybersecurity Bonanza: The New Gold Rush section of this blog.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 7 of 56\n\nWe also found an example of an SMS written in Thai used in the phishing campaign. This evidence\r\nsuggests the existence of a diverse cybercriminal ring comprising individuals from different\r\ncountries, or the use of a local service to distribute malware to victims’ devices. At this stage, we\r\nexercise caution and refrain from drawing any definitive conclusions.\r\nWe examined the chain of infection based on the delivery of the most recently discovered\r\nGoldPickaxe variants. However, the infection chain is not significantly different for other Trojans\r\nwithin the GoldFactory family.\r\nIn Thailand’s environment, cybercriminals impersonate government authorities and convince victims\r\nto use LINE, one of the most popular messaging applications in the country. To start a\r\nconversation, the LINE user must add another as a friend.\r\nFigure 5. Initial compromise of the device by GoldPickaxe Trojans\r\nAccording to Thailand Banking Sector CERT (TB-CERT), malicious links are distributed through\r\nmessengers to encourage the installation of the app. Victims are then lured into a fraudulent\r\napplication posing as a ‘Digital Pension’ app, purportedly enabling them to receive their pension\r\ndigitally. The most worrying aspect of the TB-CERT alert is that the cybercriminals possess credible\r\npersonal information about the victims, which increases the persuasiveness of their fraudulent\r\ntactics.\r\nTB-CERT’s alerts can be confirmed by the findings of Group-IB’s investigation, which uncovered\r\nmultiple versions of GoldPickaxe, all possessing identical functionality, yet disguising themselves as\r\ndifferent official Thai government services. We have seen a trend where GoldFactory’s malicious\r\ncampaigns involve the imitation of legitimate government applications – for example,Digital\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 8 of 56\n\nPension for Thailand, other Thai government services, and Vietnamese government\r\ninformation portal. It is worth noting that other applications that GoldPickaxe is impersonating do\r\noverlap with that of the Gigabud malware, described by Group-IB researchers in August 2023. We\r\nwill discuss the overlaps between GoldFactory and Gigabud later in the blog.\r\nFigure 6. Example of fake login screens from GoldFactory’s Trojans impersonating Thai apps\r\nThe screenshots below show a fake message claiming to offer tax refunds on electricity bills.\r\nOnce the recipient opens a link, they are redirected to LINE to add the cybercriminal as a friend.\r\nInside the LINE messenger, the cybercriminal then begins their social engineering tactics to\r\nconvince them to follow the necessary steps and install the malicious application. However, it was\r\nnot possible to retrieve any messages because the cybercriminals cleared the chat history on the\r\ninfected devices.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 9 of 56\n\nFigure 7. Example of spam message sent by GoldFactory\r\nAs we discussed in our previous blog, GoldDigger is spreading via fake websites posing as Google\r\nPlay Store pages or fake corporate websites in Vietnam in order to successfully install itself on a\r\nvictim’s device. GoldDiggerPlus and GoldPickaxe.Android are distributed using a similar scheme.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 10 of 56\n\nFigure 8. Fake Google Play website used to deliver GoldPickaxe.Android\r\nGoldPickaxe.iOS has a different distribution scheme. Apple has a well-designed system designed to\r\nprevent threat actors from distributing malware through its store. However, cybercriminals have\r\nadeptly exploited certain features initially designed to improve user experience.\r\nFraudulent schemes of this nature have been documented by cybersecurity researchers. One\r\nnotable example is the CryptoRAM campaigns, where cybercriminals leveraged Apple’s TestFlight\r\nplatform to distribute fake cryptocurrency applications. TestFlight serves as a tool for developers to\r\ndistribute and beta test their iOS applications prior to the official release on the App Store. The\r\nplatform offers a variety of testing methods and allows developers to invite users to test their apps.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 11 of 56\n\nAnother tactic involves the manipulation of Apple devices through Mobile Device Management\r\n(MDM). MDM is a comprehensive and centralized solution for managing and securing mobile\r\ndevices, such as smartphones and tablets, within an organization. The primary goal of MDM is to\r\nstreamline device management tasks, enhance security, ensure compliance with organizational\r\npolicies, and deploy applications. Within the Apple ecosystem, MDM allows to wirelessly configure\r\ndevices by sending profiles and commands to the device.\r\nGoldFactory has been successful in using both tactics to distribute its own iOS Trojan. When\r\nTestFlight is abused, victims receive seemingly innocent URLs such as\r\nhttps://testflight.apple.com/join/\u003cID\u003e. Because these URLs carry the Apple domain, users often\r\nperceive them as trustworthy. Unfortunately, this misplaced trust leads users to install seemingly\r\nlegitimate software, unknowingly exposing their devices to malicious threats.\r\nA more sophisticated method used by GoldFactory is to manipulate victims into interacting with\r\nfraudulent websites to install an MDM profile. Victims are tricked into following URLs that redirect\r\nthem to these fraudulent websites controlled by threat actors. The infection process requires users\r\nto take unusual steps, such as installing an MDM profile – an inherently suspicious step. Despite its\r\ncomplexity, if successful, this approach gives cybercriminals complete control over the victim’s\r\ndevice. Below we will look at each facet of this sophisticated scheme employed by GoldFactory to\r\nplant GoldPickaxe.iOS into a victim’s device.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 12 of 56\n\nFigure 9. Scheme illustrating how GoldPickaxe.iOS infects iOS devices\r\nAs mentioned above, one of the ways GoldFactory exploits unsuspecting users is through the use\r\nof TestFlight. Notably, TestFlight is used not only for testing purposes but also in a variety of\r\ncontexts, such as bypassing regional restrictions when users have difficulty installing applications\r\nfrom their respective countries. The simplicity and cost-effectiveness of TestFlight make it an\r\nattractive option for cybercriminals. If a malicious application is blocked, cybercriminals can easily re-upload it using alternative developer accounts. They can also use services that offer similar\r\nfunctionality, providing a way to upload applications to TestFlight without significant barriers. This\r\nadaptability underscores the agility and resilience of cybercriminals using TestFlight as a tool for\r\ntheir malicious activities.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 13 of 56\n\nIt is worth noting that the TestFlight method was used by GoldFactory in the early stages of their\r\nmalicious campaign. However, there was a strategic switch when the cybercriminals moved on to\r\nusing MDM.\r\nWe attribute this shift to the realization that applications uploaded to TestFlight are submitted to\r\nApple’s review process. As the GoldPickaxe.iOS Trojan was not accessible in TestFlight at the time of\r\nwriting, It is likely that Apple’s review has identified the GoldPickaxe.iOS malware, leading to the\r\nblocking measures. As a result, the cybercriminals adapted their distribution and chose the MDM\r\nmethod to circumvent the strict controls associated with TestFlight and continued their illicit\r\nactivities. Group-IB issued a notification to Apple about the activity attributed to GoldFactory.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 14 of 56\n\nFigure 10. Description of the fake app in TestFlight\r\n(not available in TestFlight at the time of writing)\r\nWe constantly monitored the activity of GoldFactory and after a short time, we noticed the changes\r\nin the infection chain. We began to detect fraudulent domains that were designed to download the\r\nMDM profile. Our findings are also confirmed by an alert from the Thai Cyber Police. In November\r\n2023, some individuals were targeted by a scam where a cybercriminal posed as an official from the\r\nMinistry of Finance. According to the Thai police, the criminal claimed that the targets’ elderly\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 15 of 56\n\nrelatives were eligible for additional pension benefits. The victims then clicked on links to the\r\ncriminals’ websites to download MDM profile settings that would allow the criminals to remotely\r\nmanage the victims’ mobile devices.\r\nOn these fraudulent websites, cybercriminals provide full instructions on how to install malicious\r\napplications. The instructions are written in Thai and are shown below as an example. We have\r\nbriefly described what happens when the victim opens the received URL:\r\n1. The victim opens the URL.\r\nThe system notices that the website is trying to download a configuration profile and asks for\r\npermission to install it.\r\n2.\r\n3. After, the victim must press a button, indicating that they trust this configuration.\r\n4. Safari automatically opens the URL.\r\n5. Finally, the website asks the victim to authorize the installation of the Trojan.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 16 of 56\n\nFigure 11. Example of guide to install MDM profile for victims found on cybercriminals’ website\r\n(inactive at the moment)\r\nOnce this profile is installed, cybercriminals gain unauthorized control over the device. Mobile device\r\nmanagement offers a wide range of features such as remote wipe, device tracking, and\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 17 of 56\n\napplication management, which the cybercriminals take advantage of to install malicious\r\napplications and gain the information they need.\r\nFigure 12. Example of an MDM profile installed by GoldFactory’s victims\r\nThe GoldPickaxe.iOS Trojan installed as part of the MDM abuse scheme is disguising itself as a Thai\r\ngovernment service app.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 18 of 56\n\nFigure 13. Login page of the GoldPickaxe.iOS\r\nTrojan disguised as a Thai government service\r\napp\r\nTill now, we have abstractly presented the fraud scheme, and now we will discuss the features of the\r\nmalware in detail below.\r\nGoldFactory targets the iOS and Android mobile operating systems, bypassing the most stringent\r\nsecurity controls and rigorous filtering. As with all Android Trojans, the threat actor tricks the user\r\ninto installing and opening a malicious application, which we discussed in detail above. The victim\r\nthen just needs to give the malware the necessary permissions. Once these permissions are granted,\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 19 of 56\n\nthe sophisticated suite of GoldFactory’s Trojans operates almost autonomously, manipulating the\r\nvictim’s device without their knowledge. GoldFactory’s Android Trojans obtain screen content\r\ninformation by abusing accessibility services and display fake web forms that mimic legitimate\r\nbanking interfaces to capture the user’s credentials. This would even bypass two-factor\r\nauthentication (2FA).\r\nIn light of recent developments, it is significant to highlight the new policy in Thailand that requires\r\nusers to confirm larger transactions using facial recognition. This additional security measure is\r\ndesigned to protect users from fraudulent activity.\r\nHowever, GoldFactory has learned how to bypass these restrictions and has developed a highly\r\nsophisticated malware family. GoldPickaxe prompts the victim to record a video as a confirmation\r\nmethod in the fake application. The recorded video is then used as raw material for the creation of\r\ndeepfake videos facilitated by face-swapping artificial intelligence services.\r\nGoldPickaxe Trojans for iOS and Android platforms have additional capabilities, such as requesting\r\nthe victim’s ID documents, intercepting SMS, and proxying traffic through the victim’s\r\ninfected device. These functionalities will be detailed in the next section.\r\nGoldPickaxe does not directly perform unauthorized transactions from the victim’s phone. Instead, it\r\ncollects all the necessary information from the victim to autonomously access the victim’s banking\r\napplication.\r\nFacial recognition is actively used by Thai financial organizations for transaction verification and\r\nlogin authentication. As a result, GoldPickaxe’s facial recognition video capture capabilities,\r\ncombined with the ability to intercept SMS messages and obtain photos of ID documents provide\r\ncybercriminals with the opportunity to gain unauthorized access to bank accounts. Nevertheless,\r\nwe have not observed documented cases of cybercriminals utilizing this stolen data to gain\r\nunauthorized access to victims’ bank accounts in the wild.\r\nWe hypothesize that the cybercriminals are using their own devices to log in to bank accounts. The\r\nThai police have confirmed this assumption, stating that cybercriminals are installing banking\r\napplications on their own Android devices and using captured face scans to bypass facial\r\nrecognition checks to perform unauthorized access to victims’ accounts.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 20 of 56\n\nFigure 14. Scheme illustrating how GoldPickaxe Trojans extract money from victims’ devices\r\nListening is gold: analyzing technical\r\ncapabilities of Trojans developed by\r\nGoldFactory\r\nIn this section, we will have a look at the technical aspects of the newly identified mobile Trojans in\r\nuse by GoldFactory. Currently, we have categorized these Trojans into two primary families:\r\nGoldPickaxe and GoldDigger (and its newer version GoldDiggerPlus). GoldPickaxe appears in two\r\ndistinct variants – iOS and Android – while GoldDigger targets Android devices exclusively,\r\npresenting three different variants.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 21 of 56\n\nAlthough GoldPickaxe and GoldDigger share common codes, GoldPickaxe differs in its primary goal\r\nby focusing on the gathering of personal information from victims, in contrast to GoldDigger’s focus\r\non banking credentials. GoldPickaxe has capabilities such as capturing video of victims’ faces,\r\nexfiltrating identity documents, and proxying traffic through victims’ phones. Conversely,\r\nGoldDigger is specifically designed to steal banking credentials.\r\nAnalysis of the Android variants in the GoldDigger family is challenging as all samples observed are\r\nwrapped in the VirBox packer – an advanced protection layer against both static and dynamic\r\nanalysis, requiring additional time for analysis. In contrast, the GoldPickaxe.iOS version is unpacked\r\nand without evasion techniques. Operators can disable its functionality during the control phase,\r\nwhich underlines the careful way in which cybercriminals choose their victims.\r\nBoth Trojan families, GoldPickaxe and GoldDigger, employ a dual communication approach with the\r\ncommand-and-control (C2) server, utilizing Websocket and HTTP concurrently. Websocket serves\r\nas the channel for receiving commands, typically positioned on port 8282 for controlling Android\r\ndevices and 8383 for iOS devices. Executed results are then transmitted via HTTP to their\r\nrespective API endpoints, primarily for exfiltrating information from infected devices and reporting\r\nthe outcomes of executed commands, all formatted in JSON. It is also worth noting that both\r\nGoldPickaxe and GoldDiggerPlus exfiltrated data from infected devices to Alibaba cloud storage.\r\nDuring our research, we concluded that GoldFactory’s mobile banking Trojans are still evolving. For\r\nexample, the Android malware contains handlers that are not implemented or functions left unused.\r\nTherefore, we assume that the new versions will be released in the near future. Let’s now examine\r\neach version of the Trojan in detail to gain a full understanding of its functionality.\r\nGoldPickaxe Family\r\nGoldPickaxe family is available on iOS and Android platforms. When the iOS Trojan was\r\ndiscovered, we believed that it was a modification of the GoldDigger variant for Android. However,\r\nthe functionalities of the iOS Trojan did not match that of its Android predecessor due to Apple’s\r\nplatform restrictions. Despite the differences, we confirmed that the iOS Trojan was developed by\r\nthe same threat actor as GoldDigger for several reasons: the chosen communication mechanism\r\nand the use of the same cloud bucket URL. Eventually, we discovered a similar application\r\ndeveloped for Android, mirroring the functionalities of the malware for iOS. Hence, we decided to\r\ncategorize this as a new family separate from GoldDigger.\r\nGoldPickaxe.iOS malware exhibits fewer functionalities compared to its Android sibling due to the\r\nclosed nature of the iOS platform and relatively stricter nature of iOS permissions. As a result, the\r\niOS version of GoldPickaxe is limited, as it is difficult for iOS malware to achieve the same level of\r\nfunctionality as its Android siblings.\r\nAnother feature of GoldPickaxe is that it creates a SOCKS5 proxy server and Fast Reverse Proxy\r\n(FRP). In order to integrate the FRP library, which was written in Go, it utilized Golang mobile binding\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 22 of 56\n\nfor both Android and iOS. This helps to expose the local server behind a Network Address\r\nTranslation (NAT) or firewall to the internet. All traffic is then redirected through the phone’s proxy\r\nserver, which is started at the same time. We assume that attackers are following these steps to\r\nconnect to a compromised phone and make a transaction bypassing anti-fraud measures by using\r\nthe same fingerprint of the device.\r\nBoth versions of GoldPickaxe use fake login pages that prompt users to enter their credentials to\r\naccess the fake Digital pension application. It’s not known exactly what the cybercriminals do with\r\nthis information, but our guess is that it helps them avoid detection. By looking at the information\r\nentered, they can presumably determine whether the device belongs to a real user or a security\r\nresearcher. Group-IB researchers believe that the threat actor requests the phone number to get\r\nadditional details about the victims, specifically seeking information about banking accounts\r\nassociated with the victim. This enables the threat actor to identify and install specific banking apps\r\nduring the money theft stage. The same tactics were used in Gigabud.RAT/Loan.\r\nFigure 15. Login page of the fake app impersonating Digital Pensions in iOS and Android\r\nGoldPickaxe.iOS\r\nAs mentioned above, the functionality of the iOS version of GoldPickaxe is somewhat limited,\r\ncompared to its Android version. Without extensive knowledge of its Android siblings, classifying it\r\nwithin this family would be challenging. However, our careful analysis has revealed a similarity in\r\ncommunication methods with C2 servers, identical credentials, and shared HTTP API endpoints\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 23 of 56\n\nwhen compared to the Android version. These accumulated indicators clearly attribute it to the\r\nGoldPickaxe malware family. In the discovered malicious application, all the messages shown to the\r\nvictims were written in Thai language, for this reason, we assume that the discovered application is\r\ntargeting victims in Thailand\r\nThe malware’s capabilities are not just limited to the extraction of photos from device libraries.\r\nThe malware can also collect SMS messages, capture the victim’s face, and proxy network\r\ntraffic through the victim’s device. Like its Android sibling, the malware uses three\r\ncommunication mechanisms: a web socket for receiving commands, the HTTP API for\r\ntransmitting the results of executed commands, and a communication channel with a cloud\r\nbucket for information exfiltration. In addition, cybercriminals can also request additional\r\ninformation such as a photo of the victim’s ID card.\r\nThe initial phase involves the creation of recurring tasks that are scheduled to run periodically.\r\nThese tasks include sending a heartbeat to indicate device activity, verifying application\r\npermissions, the status of connection to the WiFi and assessing connection speed, the latter of\r\nwhich is done by using the PPSPing library. Requests will be sent to www.google.com, and the\r\nconnection speed results will be sent to the C2 server. This metric can be used to choose a suitable\r\ntime for exfiltration.\r\nOnce started, GoldPickaxe.iOS will attempt to connect to the websocket using the JetFire library.\r\nThis library is used to implement websocket clients that can communicate in the background\r\nwithout blocking. If it connects successfully, it starts the SOCKS5 server on the local host\r\n(127.0.0.1:1081). To implement the proxy functionality, they used a lightweight project available on\r\nGitHub – MicroSocks. At the same time, the reverse proxy is started to enable the connection.\r\nBefore starting, GoldPickaxe makes an HTTP request to obtain a proxy server configuration. The\r\nserver configuration is stored on the phone in a file called newconfig.ini in the Documents folder.\r\nThe compromised phone then receives a configuration containing the address of a server under\r\nfraudulent control. It uses the following template, which is available in the IPA file.\r\n[common]\r\nserver_addr = #server_addr\r\nserver_port = #server_port\r\ntoken = #token\r\n[#adid]\r\ntype = tcp\r\nlocal_ip = 127.0.0.1\r\nlocal_port = 1081\r\nremote_port = #remote_port\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 24 of 56\n\nThe websocket listener can process only six commands. To uniquely identify infected devices on\r\nthe backend, the ID is generated on a phone and sent in response to one of the commands via\r\nHTTP requests. As a unique identifier for victims, cybercriminals choose Identifiers for Advertisers\r\n(IDFA). SimulateIDFA combines many pieces of device information to create an ID that helps\r\ndistinguish one device from another. The infected device can be disabled manually by the\r\ncommand from cybercriminals. The full list of commands is presented below:\r\nTable 1. The description of GoldDigger’s commands for iOS\r\nhead_type cmd descriptions\r\nHeartbeat – Send an alive ping to C2\r\ninit – Send information about the compromised phone\r\nmessage\r\nupload_idcard Request ID card\r\nface Request a video of the face\r\nupgrade Display that the system is in use and do not use mobile phones\r\nalbum Synchronise photo library\r\nagain_upload\r\nUpload the video with the victim’s face. Highly likely to use once\r\nnetwork errors appear during execution of face command\r\ndestory Disable the application\r\nTwo commands require interaction with the victim. The first command asks for an ID card to be\r\nuploaded. Both sides of the card are required by cybercriminals: front and back. Once the command\r\nhas been sent to a phone, a view with tips opens and waits for the user to perform the necessary\r\nsteps (see Figure 17). The photos are then sent to the C2 server.\r\nIn addition, a photo of the victim’s face can be requested. With the “face” command, the special\r\nview is shown to capture the face of the victim. Before capturing, the application shows tips: “Please\r\nhold the camera steady”, “Please blink”. The developers also used Google’s ML Kit for face\r\ndetection. The captured output is then uploaded to the cloud.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 25 of 56\n\nFigure 16. Displaying the view to request access\r\nrights in the fake iOS app\r\nThe descriptions of the HTTP API used in the iOS variant of the Trojan are shown below:\r\nTable 2. API endpoint descriptions for the iOS version of GoldPickaxe\r\nAPI Endpoint Description\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 26 of 56\n\n/api/apple/applyauth Send status of permission\r\n/api/apple/changesignal Send the result of ping\r\n/api/apple/changewifistatus Show status of connection to WiFi network\r\n/api/apple/checkdestruction Check on the back end if the application should be running\r\n/api/apple/getfrpconfig Get configuration for fast reverse proxy\r\n/api/apple/login Send a phone number and username on login page\r\n/api/apple/online Send after receiving “heartbeat” messages from C2\r\n/api/apple/savealbum Send URL to photo\r\nIn addition to the main application, the malware developer has included an application extension.\r\nIn iOS development, an app extension is a way to extend the functionality of an application beyond\r\nits core features. App extensions allow developers to provide additional functionality that can be\r\nused in different contexts, such as sharing content, providing widgets, custom keyboards, and\r\nmore.\r\nOne of the extensions available for development is message filtering. It was originally introduced\r\nto allow third parties to fight SMS spam. By exploiting this functionality, GoldFactory implemented\r\ntheir own version of message filtering to harvest messages from victims’ devices. Apple imposes\r\ncertain restrictions, such as custom message filters that are only able to access messages from\r\nnumbers that are not present in the contact list. Another limitation that presents a challenge for\r\ncybercriminals is that victims must manually enable the installed message filter. We believe that the\r\noperators will deceive the victims into enabling this feature.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 27 of 56\n\nFigure 17. Displaying the threat actors’ message\r\nfilter\r\nThe API allows the threat actor to specify a relay in the app extension’s info.plist to send all\r\nmessages to the external server:\r\n\u003ckey\u003eNSExtension\u003c/key\u003e\r\n\u003cdict\u003e\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 28 of 56\n\n\u003ckey\u003eNSExtensionPrincipalClass\u003c/key\u003e\r\n\u003cstring\u003eMessageFilterExtension\u003ckey\u003eNSExtensionAttributes\u003c/key\u003e\r\n\u003cdict\u003e\r\n\u003ckey\u003eILMessageFilterExtensionNetworkURL\u003c/key\u003e\r\n\u003cstring\u003ehttps://REDACTED/api/apple/sms_\u003c/string\u003e\r\n\u003c/dict\u003e\r\n\u003ckey\u003eNSExtensionPointIdentifier\u003c/key\u003e\r\n\u003cstring\u003ecom.apple.identitylookup.message-filter\u003c/string\u003e\r\n\u003c/dict\u003e\r\nGoldPickaxe.Android\r\nThe Android variant of GoldPickaxe has more functionalities than that of its iOS counterpart.\r\nMoreover, we also found that it disguises itself as over 20 different applications from\r\nThailand’s government, the financial sector, and utility companies, allowing the operators to\r\nsteal login credentials from these services.\r\nIt does appear that GoldPickaxe.Android is an evolved iteration of GoldDiggerPlus, which we will\r\ndiscuss later. This hypothesis is supported by the presence of many leftover functions that are\r\nseemingly left unused.\r\nAfter entering the username and phone number on the first login page, the victim will be directed to\r\nthis page to set a password for the Digital Pension app. It also does a password validation, which\r\nstipulates that if any of the keyed-in numbers are consecutive, it will fail the password validation.\r\nOnly after this, the application will launch the Settings page and request to enable Accessibility\r\nService.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 29 of 56\n\nFigure 18. Password request screen in the fake Digital\r\nPension app\r\nIn this Trojan, AccessibilityService is leveraged for reading the User Interface (UI) and keylogging.\r\nEvery 800ms, information displayed on the UI is updated on the C2 side.\r\nThe key functionalities of this Trojan are to steal ID pictures by requesting the user to take a\r\nphoto of them, retrieve pictures from the victim’s album, and capture facial recognition data.\r\nTo exploit the stolen biometric data, they employ AI-driven face-swapping services, allowing them to\r\nauthorize in the victim’s banking application – a technique we have not observed in other fraud\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 30 of 56\n\nschemes. When the command `face` is given, a facial scan will be conducted with the session\r\nrecorded and uploaded. Similarly to the iOS version, when recording a video of their faces, a few\r\ninstructions will be given such as to blink, smile, face left, face right, nod down, up and to open\r\nmouth. This approach is commonly used to create a comprehensive facial biometric profile.\r\nThese videos and pictures are uploaded to the cloud bucket.\r\nFigure 19. A series of screenshots displaying how GoldPickaxe for Android captures a facial\r\nbiometric profile\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 31 of 56\n\nFigure 20. Screenshot displaying the ID card\r\nrequest screen\r\nCommands received from the C2 via the websocket are not encrypted but results sent to the HTTP\r\nAPI endpoint are encrypted using RSA encryption.\r\nSimilar to the iOS version, it also starts up a SOCKS5 proxy server (127.0.0.1:1081) and FRP. The\r\nconfiguration values needed to start the reverse proxy have to be requested from C2, these values\r\nand stored in `config.ini` inside the application directory. The format of the configuration values is\r\nsimilar to those stated in the iOS version.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 32 of 56\n\nIt can download and install a separate ‘B’ APK. Unfortunately, we did not manage to retrieve the ‘B’\r\nAPK for this Trojan, hence we are unable to tell what functionalities can ‘B’ APK perform. However,\r\nwe believe that it could be similar to GoldKefu, the ‘B’ APK embedded in GoldDiggerPlus. As\r\nmentioned earlier, GoldKefu is a Trojan that performs web fakes and enables real-time voice\r\ncalls. GoldKefu will be analyzed in detail in the subsequent section. Hence, we used GoldKefu as a\r\nreference to make educated guesses about the capabilities of ‘B’ APK for GoldPickaxe.\r\nHere is the list of commands supported:\r\nTable 3. Description of GoldPickaxe.Android’s commands\r\nhead_type cmd Descriptions\r\nHeartbeat – Send an alive ping to C2\r\ninit –\r\nSend information about the compromised phone such\r\nas device product, brand, model, language, battery,\r\ncountry, isp\r\nsync Get current UI node information\r\nclick Click at given coordinate\r\nlongclick Long press at given coordinate\r\nslide Slide\r\nmenu Open recents\r\nThe descriptions of the HTTP API used in the Android variant of the Trojan are shown below:\r\nTable 4. Description of GoldPickaxe.Android’s API endpoints\r\nAPI Endpoint Description\r\n/api/app/uploadidcard Send cloud URL of the uploaded ID card images\r\n/api/app/login\r\nSubmit username and phone number that user keyed in on fake\r\nlogin page\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 33 of 56\n\n/api/app/getfrpconfig Get configuration values for fast reverse proxy\r\n/api/app/getBPackageUrl Retrieve URL for ‘B’ package\r\n/api/app/applyauth Report what permission it has\r\n/api/app/applynoauth Report what permission it does not have\r\n/api/app/changesignal Report ping speed\r\nGoldDigger Family\r\nGoldDigger shares more in common with the usual banking Trojans. Firstly, we have only found\r\nAndroid variants of GoldDigger. The malware employs the usage of Virbox Protector – an\r\nAndroid packer. It is a software protection solution that companies use to prevent their software\r\nfrom being cracked. It includes anti-reverse engineering features such as dex encryption, dex\r\nvirtualization, assets encryption, and protecting the native libraries used by the application.\r\nThe protector is also able to detect rooted and emulated devices.\r\nAs another step towards maturity, to make detection harder, GoldDigger decided to abuse Android’s\r\nflaw in parsing Android BinaryXML format causing many of the third-party tools to fail when parsing\r\nthe AndroidManifest.xml file.\r\nGoldDigger\r\nThis is the very first variant of GoldDigger that Group-IB discovered and it is still in circulation. Its\r\nfunctionality is of the most basic nature, retrieving banking credentials mainly by exploiting the\r\nAccessibility Service. To date, we only found that it impersonates 2 different applications: a\r\nVietnamese government information portal and a Vietnamese local electricity company.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 34 of 56\n\nFigure 21. Screenshots of GoldDigger Trojan (Left: Landing screen, Right: After enabling\r\nAccessibility Service)\r\nWhen launched, the GoldDigger Trojan asks the user to enable the Accessibility Service\r\npermissions. Android’s accessibility services are originally intended to assist users with disabilities in\r\noperating their devices, such as screen reading, gesture-based controls, speech-to-text, and others.\r\nGranting Accessibility Service to GoldDigger enables it to gain full visibility into user actions and\r\ninteract with user interface elements. This means it can see the victim’s balance, harvest the second\r\ncredential issued for two-factor authentication, and implement keylogging functions, allowing it to\r\ncapture credentials.\r\nAfter Accessibility Service is enabled, it will grant itself additional permissions, such as allowing\r\nnotifications, hiding from recent tasks, keeping itself running open in the background, all done with\r\na series of simulated clicks.\r\nThe primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial\r\ncompanies, including their packages’ names in the Trojan. Whenever the targeted applications\r\nopen, it will save the text displayed or written on the UI, including passwords, when they are\r\nentered. The Trojan also exhibits evasion capabilities by including names of more than 40 mobile\r\nantivirus applications. Whenever a user attempts to open any of these applications, the malware\r\nredirects them to the Home screen, rendering victims unable to access the intended application.\r\nThis version of GoldDigger contains debugging logs. Moreover, it hardcodes a pair of domains, 1\r\ndomain for testing purposes and the other for real execution. Coupled with the fact that it was the\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 35 of 56\n\nvery first discovered Trojan, we believe that this is the base version of GoldFactory malware before it\r\nevolved to other variants.\r\nHere is the list of commands supported:\r\nTable 5. Description of GoldDigger’s commands\r\nhead_typecmdDescriptions\r\nHeartbeat Send an alive ping to C2\r\ninit –\r\nSend information about the compromised phone such\r\nas product, brand, model, android_id, country,\r\nlanguage, isp, version\r\nsms Get phone messages\r\nsync Get current UI node information\r\nnight / upgrade /\r\nsunlight\r\nDifferent mask modes\r\nwake Wake phone\r\nThe descriptions of the HTTP API used in the GoldDigger variant are shown below:\r\nTable 6. API endpoint descriptions for GoldDigger\r\nAPI Endpoint Description\r\n/api/app/canuninstall Check if app can be uninstalled\r\n/api/app/updatedevice\r\nUpdate device information such as battery percentage, SMS\r\npermission\r\n/api/app/updateauth\r\nUpdate that the device has been “initialized” – additional permissions\r\ngranted, battery optimizations ignored, notifications enabled, etc\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 36 of 56\n\n/api/app/savedevice2\r\nSend device information such as: product, brand, model, android_id,\r\ncountry, language, isp, version\r\n/api/app/getpackage Update targeted apps list\r\n/api/app/isonline Ali e ping is sent e er 30 seconds\r\nGoldDiggerPlus\r\nDetected by Group-IB in September 2023, GoldDiggerPlus differs from other Trojans attributed to\r\nGoldFactory. Notably, It contains a second APK also named “b.apk” and has the most extensive\r\nfeatures. But unlike GoldPickaxe, the b.apk is embedded in GoldDiggerPlus, thus we were able to\r\nanalyze it.\r\nGroup-IB dubbed the second APK embedded in the GoldDiggerPlus GoldKefu as “kefu” means\r\ncustomer service (客服) in Chinese and this string appears in its codes recurrently. The naming\r\nconvention was also selected to reflect one of GoldKefu’s main functions – the ability to call the\r\nvictims impersonating customer support services. The 2 APKs, GoldDiggerPlus and GoldKefu, work\r\nin tandem to execute their full capabilities. We hypothesized that this is a transitory phase to\r\nGoldPickaxe Trojan seeing as this version has the most experimental functions, and yet not as\r\nwidely distributed as GoldDigger. This version has an initial login page, asking for a username and\r\nphone number, and these will be sent to the C2 once submitted. After logging in, it will request to\r\nenable Accessibility Service.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 37 of 56\n\nFigure 22. Display screen for GoldDiggerPlus\r\nIn contrast with GoldDigger which relies mainly on Accessibility Service, GoldDiggerPlus and\r\nGoldKefu use webfakes to collect credentials or perform targeted scam calls instead. We\r\nconclude that the main purpose of GoldDiggerPlus is to authenticate itself to the C2 server,\r\nperform automated clicks when permissions are requested, record the screen, and stream the\r\nfeed via Real-Time Messaging Protocol (RTMP).\r\nIt also makes an improvement from GoldDigger in the area of granting permissions. It now takes a\r\nmore modular and controlled approach, that permission is requested and granted when the C2\r\nissues the command. It does not grant all the permissions all at once like GoldDigger.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 38 of 56\n\nHere is the table of commands available from GoldDiggerPlus:\r\nTable 7. Description of GoldDiggerPlus’s commands\r\nhead_type cmd Descriptions\r\nHeartbeat Send an alive ping to C2\r\ninit – Send information about the compromised phone\r\nsync Get current UI node information\r\nclick Click at given coordinate\r\nlongclick Long press at given coordinate\r\nslide Slide\r\nmenu Open recents\r\nhome Home\r\nGoldKefu\r\nAs previously mentioned, GoldKefu is an embedded APK inside GoldDiggerPlus. In the sample\r\nanalyzed by Group-IB’s Threat Intelligence unit, GoldKefu impersonates a popular Vietnamese\r\nmessaging app using its logo.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 39 of 56\n\nFigure 23: Installation of GoldKefu\r\nGoldKefu performs the role of stealing mobile banking credentials. Every 500 milliseconds,\r\nGoldKefu checks if the most recently opened application belongs to the target list, and if the\r\n“allow_alert” command is given, the webfake will be launched instead. It has a reduced target list of\r\nonly 10 applications from Vietnamese financial companies.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 40 of 56\n\nFigure 24. Samples of web fakes embedded in GoldKefu impersonating Vietnamese financial\r\norganizations\r\nOne key feature is the integration of the Agora Software Development Kit (SDK). This SDK\r\nintroduces features such as real-time voice and video calls. To join a call channel, it will retrieve\r\nthe necessary configurations, such as appId, channel name, and token, from the C2. When the `call`\r\ncommand is used, the Trojan will also retrieve some fake values such as username, number, and icon\r\nto display, i.e. what brand it is pretending to be. Group-IB’s Threat Intelligence unit believes that the\r\ngroup has Thai and Vietnamese-speaking operators.\r\nThere is also a `send_call` command that displays a fake alert. This is a scare tactic, instilling fear in\r\nthe victim. The default text in the fake alert roughly translates as “3 million Thai baht has been\r\ntransferred to another person. The transaction will be completed in 10 minutes and if the transaction\r\nis not done by you, please contact bank customer service.” This default text is in Chinese but all\r\nthese text can be replaced with custom text sent from C2, which most likely will be localized. Victims\r\nwill be tricked into clicking the “Contact bank customer service” button.\r\nWhen the victim clicks on the ‘contact’ button, it will join a call channel created by the cybercriminal.\r\nIt will also display a call screen, with the displayed text pretending to be a fake bank customer\r\nservice.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 41 of 56\n\nIf the victim closes the alert, a message will be sent to C2 “用户主动关闭短信,但是能确认用户已读,可\r\n考虑主动出击” which translates to “User closed the message, but has read it. Consider active\r\nintervention”. We suppose that the cybercriminal operators will initiate the call in such situations.\r\nFigure 25. Fake alert screen (Scare tactic) and call screen with arbitrary values inserted by analyst\r\nIt can also prevent bank applications from opening. Contrary to GoldDigger where the user is simply\r\nredirected to the Home screen, GoldKefu displays a fake “bank error” alert. The text directly\r\ntranslates to: “Your bank account is in an unusual state. The protected mode is switched on.\r\nYou can contact the bank customer service to unfreeze your account.” This is the default text\r\nbut will be overwritten by the custom text sent by the C2. This renders victims unable to access the\r\nintended application.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 42 of 56\n\nFigure 26. Fake bank error alert\r\nThere is an interesting twist to this prevention mechanism. When the victim clicks on the contact\r\ncustomer service button on this alert, it will check if the current time falls within the working\r\nhours of the cybercriminals, with the timezone set to GMT+8. If it does, it will try to find a free\r\noperator to call through. It is almost as if the cybercriminals are operating a legitimate\r\ncustomer service center.\r\nAll earlier mentioned variants use websockets to listen for commands and send back executed\r\nresults via HTTP to their corresponding API endpoints, with most data usually encrypted with RSA\r\nencryption. However, GoldKefu does use the websocket to send back time-sensitive data,\r\nspecifically relating to calls.\r\nOther smaller features include setting up a BroadcastReceiver to listen to incoming SMS and\r\nupload it to C2. It is also worth noting that the `album` command only uploads the 10 most recent\r\nphotos whereas GoldPickaxe for Android uploads 100 photos.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 43 of 56\n\nHere is the table of commands available from GoldKefu:\r\nTable 8. Description of commands for GoldKefu\r\nhead_type cmd Descriptions\r\nHeartbeat – Receive a client_id and send an alive ping to C2\r\ninit – Send information about the compromised phone\r\nsync (Not implemented)\r\nscreenshot (Not implemented)\r\nnight / sunlight/\r\nupgrade\r\nDifferent screen mask modes\r\nsms Obtain phone SMS\r\nalert Fake bank alert, entice victim to open the real bank app\r\nup Fake bank alert, entice victim to open the real bank app\r\nThe tables below contain API endpoint descriptions for both GoldDiggerPlus and GoldKefu:\r\nTable 9. Combined API endpoint descriptions for the GoldDiggerPlus and GoldKefu\r\nAPI Endpoint Description\r\n/api/app/login\r\nSubmit username and phone number that user keyed in on fake\r\nlogin page\r\n/api/app/applyauth Report what permission it has\r\n/api/app/applynoauth Report what permission it does not have\r\n/api/app/savedevicea Send device information from GoldDiggerPlus\r\n/api/app/savedeviceb Send device information from GoldKefu\r\n/api/app/getdownloadurl Get download url for b package, but unused\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 44 of 56\n\n/api/app/getbankconfig Retrieve configuration values for a fake bank alert\r\nGoldFactory’s cybersecurity bonanza: the\r\nnew gold rush\r\nThe recent increase in mobile Trojans plaguing banks in APAC countries like Vietnam and Thailand\r\nis partially attributed to the group GoldFactory, an organized collective of Chinese-speaking\r\ncybercriminals. We believe that they are a resourceful team involving numerous individuals in the\r\nprocesses of Trojan development, distribution, and financial theft. The team comprises distinct\r\ndevelopment and operator groups dedicated to specific regions. We found different iterations of\r\nGoldFactory malware are actively distributed across different countries simultaneously. Tо date, we\r\ncan only confirm that GoldDigger, GoldDiggerPlus, GoldKefu, and GoldPickaxe are the handiwork of\r\nthe group.\r\nTheir operators are well-versed in the native language used in the targeted country to conduct the\r\nfraud effectively. We are also inclined to believe that the teams operate within the 2 targeted\r\ncountries (GMT+7) even though their code stated that their working hours are in the timezone\r\nof GMT+8. We are unsure if the developer wrote GMT+8 out of habit or that they work remotely and\r\nstill reside within that timezone.\r\nGoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility\r\nkeylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial\r\nrecognition data collection. Equipped with diverse tools, they have the flexibility to select and\r\nexecute the most suitable one that fits the scenario. They are a strategic and well-orchestrated\r\nteam. The news of the Thailand policy on facial biometrics verification was released in March 2023,\r\nto be enforced by July. We discovered the earliest traces of GoldPickaxe in early October. As a\r\nresult, we posit that a total of three months was used to research, conceptualize, implement, and\r\ntest new facial recognition data collection features. They are aware of their target landscape and are\r\nconstantly improving their toolset to tailor it to their target environment. Their developers\r\ndemonstrate their relatively high proficiency in software development as well.\r\nWe have indications to suggest that the team is Chinese-speaking. Debugging strings in Chinese\r\nwere found throughout all the malware variants and their C2 panels are in Chinese. Additionally, the\r\nteam has a preference for using Chinese-developed software such as Aliyun Cloud, Virbox\r\nProtector, and ThinkPHP framework.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 45 of 56\n\nTable 10. Example of log strings from iOS application\r\nSimple Chinese Translated to English\r\n上传失败: %@ upload failed: %@\r\n上传文件进度: %f Upload file progress: %f\r\n收到消息: %@ Received the news: %@\r\n断开重连,websocket is disconnected:\r\n%@\r\nDisconnect and reconnect, websocket is disconnected:\r\n%@\r\n状态: %d Status: %d\r\n转换失败: %@ Conversion failed: %@\r\nFigure 27. Example of login to the GoldDigger admin panel\r\nGigabud, GoldDigger’s older brother?\r\nGoldDigger and Gigabud malware families are some of the most active mobile Trojans in the\r\nAPAC region based on the recent findings of Group-IB’s Threat Intelligence unit. GoldDigger and\r\nGigabud can be easily mistaken for each other during analysis. The similarities in their\r\nimpersonation targets and landing pages can potentially lead to confusion, despite their inherent\r\ndifferences. They are two distinct families, easily told apart by large disparities in their codebases.\r\nGigabud has a better software architecture and adheres to a more logically structured codebase,\r\nusing the Model-View-Controller (MVC) architecture. On the other hand, GoldDigger relies heavily\r\non handlers and callback functions. Further, Gigabud uses the Retrofit library to communicate with\r\nits HTTP API endpoints, whereas GoldDigger simply uses the OkHttp library. Their command and\r\ncontrol tables are remarkably different as well.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 46 of 56\n\nDuring our investigation, we discovered a few similarities between the campaigns using these two\r\nTrojans. However, we are hesitant to attribute the initial development of Gigabud to GoldFactory,\r\nbut only conclude that they do distribute it.\r\nSamples\r\nAround the time when Group-IB researchers first discovered GoldDigger, we noticed that Gigabud’s\r\nsamples were starting to be packed with Virbox Protector as well. Furthermore, Gigabud has been\r\nactive frequently in Vietnam as of late. Dating back to July 2023, we also found that Gigabud did\r\nonce attempt to masquerade as a Vietnamese Government information portal, the favorite\r\nimpersonation target of GoldDigger.\r\nIn one of our recent analyses on a Gigabud sample targeting Thailand, we found that it has also\r\nmimicked the Digital Pension application. In addition, Gigabud has started incorporating new\r\nfeatures such as FRP, identity document collection, and capturing facial recognition data, inclusion\r\nof Agora SDK, analogous to new features found in GoldPickaxe.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 47 of 56\n\nFigure 28. Gigabud’s Digital Pension login screen\r\nLanding sites\r\nWe noticed similarities in their landing pages where they distribute the malware. A click on the small\r\nfloating window on the right leads to downloading of the APK at URI path /image.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 48 of 56\n\nFigure 29. Landing pages – GoldDigger (left), Gigabud (right)\r\nThere is almost no noticeable difference between the fake Digital Pension distributing pages of\r\nGoldPickaxe and Gigabud.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 49 of 56\n\nFigure 30. Landing pages – GoldPickaxe (left), Gigabud (right)\r\nIn their landing pages, they used a short script to check if one was using Apple Devices to open the\r\nlanding page. If true, nothing will be displayed.\r\nFigure 31. User-agent checking script on landing pages – GoldDigger (left), Gigabud (right)\r\nInfrastructure\r\nWe discovered overlaps in their infrastructure. They supported RTMP streaming in\r\nGoldDiggerPlus and we found that they hosted Simple Realtime Server (SRS) version 6.0.59 on\r\ntheir server. SRS is a high-efficiency, realtime video server. During the investigation of Gigabud, we\r\nfound that one of its servers 18[.]143[.]229[.]200 had hosted SRS before as well.\r\nDomains that they register for C2 bear some similarities. The domains look like they are randomly\r\ngenerated from a certain domain generation algorithm (DGA). The pattern is short, about 4-5\r\ncharacters long, most of the time containing a single digit.\r\nBoth of the malware C2 started using the top-level domain “.cc”. However, recently both malware\r\nC2 servers migrated to using the “.xyz” top level domain later on. With the exception of early\r\nGigabud domains, all the domains are registered with the Domain Registrar “Gname.com”.\r\nTable 11. Sample of C2 – GoldDigger (left),\r\nGigabud (right)\r\nGoldDigger / GoldPickaxe Gigabud\r\nks8cb[.]cc bweri6[.]cc\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 50 of 56\n\nms2ve[.]cc blsdk5[.]cc\r\nzu7kt[.]cc nnzf1[.]cc\r\nt8bc[.]xyz app[.]js6kk[.]xyz\r\nbv8k[.]xyz app[.]re6s[.]xyz\r\nhzc5[.]xyz app[.]bc2k[.]xyz\r\nConclusion\r\nThe mobile malware landscape has become a lucrative market, attracting the attention of\r\ncybercriminals looking for quick financial gain. In response to this escalating threat, financial\r\ninstitutions have implemented a number of defensive measures. At the same time, however,\r\ncybercriminals’ tactics have evolved to outsmart and defeat these defensive strategies. A prominent\r\nexample of this dynamic is the GoldFactory group.\r\nThreat actors such as GoldFactory have well-defined processes, operational maturity, and\r\ndemonstrate an increased level of ingenuity. Their ability to simultaneously develop and distribute\r\nmalware variants tailored to different regions shows a worrying level of sophistication.\r\nIn addition to their technical skills, cybercriminals are becoming increasingly creative and adept at\r\nsocial engineering. This technique remains a potent weapon in the cybercriminal arsenal, serving as\r\nthe primary method for delivering malware to victims’ devices. By exploiting human psychology and\r\ntrust, bad actors construct intricate schemes that can deceive even the most vigilant users. Social\r\nengineering attacks, whether through fake websites or social manipulation, target human\r\nvulnerabilities.\r\nOur report underlines the urgency of the cybersecurity threat and highlights the use of\r\nsophisticated techniques by cybercriminals targeting individuals. The adaptability of these cyber\r\nadversaries is remarkable, as evidenced by the evolution of their fraud schemes. In addition to\r\nrefining the capabilities of the original GoldDigger malware, they have introduced a new category of\r\nmalware families that specialize in harvesting facial recognition data. They have also developed a\r\ntool that facilitates direct communication between victims and cybercriminals posing as legitimate\r\nbank call centers.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 51 of 56\n\nIn conclusion, the relentless evolution of cybercriminal tactics, exemplified by the sophistication of\r\nthe GoldFactory malware, underscores the critical need for a proactive and multi-faceted approach\r\nto cybersecurity, including user education and integrated modern security approaches to\r\nproactively detect the appearance of new Trojans and notify end users.\r\nGroup-IB Fraud Matrix\r\nRecommendations\r\nFor Financial Organizations\r\nImplement a user session monitoring system such as Group-IB’s Fraud Protection to detect the\r\npresence of malware and block anomalous sessions before the user enters any personal\r\ninformation.\r\nCheck out Group-IB’s webinar on the fraudulent use of neural network and deepfake\r\ntechnologies\r\nEducate your customers about the risks of mobile malware. This includes teaching them to spot\r\nfake websites and malicious apps and protecting their passwords and personal information.\r\nUse a Digital Risk Protection platform that detects the illegitimate use of your logos, trademarks,\r\ncontent, and design layouts across your digital surface.\r\nMaintaining a secure organization requires ongoing vigilance, and using a proprietary solution\r\nsuch as Group-IB’s Threat Intelligence can help organizations shore up their security posture by\r\nequipping security teams with the latest insights into new and emerging threats.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 52 of 56\n\nFor End Users\r\nSigns your phone may be infected with malware\r\nDo not click on suspicious links. Mobile malware is often spread through malicious links in emails,\r\ntext messages, and social media posts.\r\nDownload applications only from official platforms such as the Google Play Store, Apple App\r\nStore, and Huawei AppGallery.\r\nTread with caution if it is necessary to download third-party applications.\r\nCarefully review the requested permissions when installing a new application, and be on extreme\r\nalert when applications request Accessibility Service.\r\nDo not add unknown people to your messengers.\r\nWhen contacting your bank, find and use their official contact number. Do not click on the bank\r\nalert/pop-up if you think your device has been infected.\r\nIf you believe you have been defrauded, contact your bank to freeze any bank accounts that\r\nyour device has accessed.\r\nBattery Drain. If your phone’s battery is depleting much faster than usual, it could be a sign of\r\nmalware running in the background.\r\nUnusual Data Usage. Increased data usage without any apparent reason may indicate a\r\nmalware infection, especially if you haven’t changed your usage patterns.\r\nSlow Performance. Malware can consume system resources, leading to slower performance. If\r\nyour phone suddenly becomes sluggish or freezes frequently, it could be a red flag.\r\nUnfamiliar Apps. Check your list of installed apps for any unfamiliar or suspicious applications.\r\nSome malware disguises itself as legitimate apps.\r\nSudden Increase in Permissions. If you notice that certain apps have gained unnecessary\r\npermissions or if there are apps with excessive access to your device, it could be a sign of a\r\nsecurity issue.\r\nOverheating. Malware can cause your phone to overheat as it strains the device’s resources. If\r\nyour phone feels unusually hot, it’s worth investigating.\r\nStrange Behavior. If your phone is exhibiting strange behavior, such as making calls on its own,\r\nsending messages without your consent, or accessing apps without your input, it could be a\r\nsign of malware.\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 53 of 56\n\nTry Threat Intelligence Platform by\r\nGroup-IB\r\nDefeat threats efficiently and identify attackers proactively\r\nIOCs\r\nThe full list of indicators of compromise is available in Group-IB’s Threat Intelligence platform.\r\nFiles\r\nTrojan SHA256\r\nGoldPickaxe.iOS 4571f8c8560a8a66a90763d7236f55273750cf8dd8f4fdf443b5a07d7a93a3df\r\nGoldPickaxe.Android b72d9a6bd2c350f47c06dfa443ff7baa59eed090ead34bd553c0298ad66318\r\nGoldDigger d8834a21bc70fbe202cb7c865d97301540d4c27741380e877551e35be1b7276\r\nGoldDiggerPlus b5dd9b71d2a359450d590bcd924ff3e52eb51916635f7731331ab7218b69f3b9\r\nRequest a demo\r\nNetwork arrow_drop_down\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 54 of 56\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 55 of 56\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/goldfactory-ios-trojan/\r\nPage 56 of 56", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://www.group-ib.com/blog/goldfactory-ios-trojan/" ], "report_names": [ "goldfactory-ios-trojan" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3a91311-d47b-4cea-98f5-2505be23e1e5", "created_at": "2024-02-22T02:00:03.778836Z", "updated_at": "2026-04-10T02:00:03.595634Z", "deleted_at": null, "main_name": "GoldFactory", "aliases": [], "source_name": "MISPGALAXY:GoldFactory", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434168, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcf70f5a034fe0ae9b90be768fe730b7ec4a0ba1.pdf", "text": "https://archive.orkl.eu/bcf70f5a034fe0ae9b90be768fe730b7ec4a0ba1.txt", "img": "https://archive.orkl.eu/bcf70f5a034fe0ae9b90be768fe730b7ec4a0ba1.jpg" } }