How dangerous is malicious code targeting Vietnamese iPhone users?

GoldPickaxe malware, targeting iPhone users in Vietnam and Thailand, takes login information, including faces, thereby bypassing biometric security layers.

GoldPickaxe is considered one of the first malicious codes successfully exploited on the iOS platform . This malware has the same origin as the GoldDigger malware of the GoldFactory group, discovered by security company Group-IB in the middle of last year.

In the cyber fraud warning issued by the Department of Information Security - Ministry of Information and Communications in February, there was a case of a user in Hanoi being tricked into installing fake public service software. The software required authentic video recording and the next day, this person's securities account was sold and transferred billions of dong.

According to Group-IB, this may be a sign that GoldPickaxe is attacking Vietnamese users. "Based on the special request for facial scanning, and the fact that GoldFactory is operating in the region, we suspect they may have started exploiting GoldPickaxe in Vietnam ," Group-IB assessed.

An iPhone performing a face scan. (Photo: Luu Quy).

At the Asian finance and banking conference held in Ho Chi Minh City in mid-March, the appearance of GoldPickaxe also made many organizations worried. According to Mr. Troy Le, representative of the developer of the BShield tool that supports security for many large applications in Vietnam, this malicious code is dangerous in that it has been successfully exploited on both iOS and Android, and collected data. including user biometric data. In the context that Thailand has deployed biometric authentication, including face, for large transactions, and Vietnam is also about to apply this method, GoldPickaxe becomes a new challenge for users as well as platforms. in account protection.

How does GoldPickaxe hack into accounts?

First, the attacker will try to inject applications containing malicious code onto the victim's device through social tricks. In the case of the victim in Hanoi mentioned above, they impersonated a public agency to lure users into installing fake Public Service software. In Thailand, a common scenario recorded is software that supports tax refunds and electricity bill payments.

With Android, users only need to install the application via apk file. While with iOS, crooks will take advantage of Apple's application testing platform, TestFlight, or convince victims to install a Mobile Device Management (MDM) profile to gain full control over the device.

GoldPickaxe's attack mechanism. (Photo: Group-IB).

Once hacked into the device, GoldPickaxe activates rights such as blocking SMS filtering and Internet access rights. At the same time, the fake application will require users to authenticate their identity with personal documents and record video. This video is transferred to the hacker's server, becoming the material to create deepfake, face swapping using AI.

According to expert Troy Le, the malicious code will silently collect users' personal information on the device and secretly record activity data and information that users enter, thereby creating log records. log (log). In addition, they also collect facial data and possibly the victim's IP address to simulate it, thereby tricking services into thinking it is a real user.

"With this data, attackers do not need to directly perform unauthorized transactions from the victim's phone. Instead, they collect all the information necessary to access their banking application from another device ," said Mr. Troy Le.

How to stay safe from GoldPickaxe?

The Information Security Department has continuously issued warnings and advised users not to provide personal information or install applications of unknown origin to avoid having their accounts stolen. However, in reality, scenarios and attack methods often change, causing many people to still become victims despite being vigilant.

From the perspective of a security platform developer, Mr. Troy Le believes that banks and financial institutions also need to proactively have mechanisms to prevent risks for users.

After deploying BShield for many financial and banking applications in Vietnam, Mr. Troy Le said that many platforms and services still have weaknesses such as no mechanism to detect unsafe devices to have a timely prevention plan; The application process works without a continuous testing mechanism. This helps hackers just need to pass the initial check of the applications to control the victim's account. In addition, some applications can exploit API vulnerabilities, from which malicious code can intervene, change the way the application operates and hackers conduct man-in-the-middle attacks.

"Financial and banking applications are always the top targets for hacker attacks. Therefore, they themselves need to build protection mechanisms for users and their own services," said this expert. Recommendations.

According to Group-IB, the GoldFactory group's malware also has many features that make it easy for users to be tricked, such as sending fake banking app alerts, fake call screens, and text messages to lure victims into performing a certain operation. . Users need to be wary if they see strange signs such as the device consuming battery power, being unusually hot, displaying strange notifications, using a lot of data, or applications asking for too many permissions.