iOS, Android Malware Steals Faces to Defeat Biometrics With AI Swaps

Southeast Asia is learning the hard way that biometric scans are nearly as easy to bypass as other kinds of authentication data, thanks to a creative banking Trojan.

3 Min Read
A woman with a deepfake face
Source: Alfonso Fabio Iozzino via Alamy Stock Photo

Chinese hackers have developed a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which they're then using to log into those victims' bank accounts.

The new malware, "GoldPickaxe," was developed by a large (but unidentified) Chinese-language group. Its variants work across iOS and Android devices, masquerading as a government service app in order to trick primarily elderly victims into scanning their faces. The attackers then use those scans to develop deepfakes that can bypass cutting-edge biometric security checks at Southeast Asian banks.

In a new report, researchers from Group-IB identified at least one individual whom they believe to be an early victim: a Vietnamese citizen, who earlier this month lost around $40,000 dollars as a result of the ruse.

Diligent social engineering and powerful cross-platform malware aside, it seems to be highly effective for two reasons: because deepfake technology has caught up with biometric authentication mechanisms, and because most of us haven't realized that yet.

"This is why we see face swaps are a tool of choice for hackers," says Andrew Newell, chief scientific officer at iProov. "It gives the threat actor this incredible level of power and control."

How Chinese Hackers Beat Thai Banks

As the novelist George Orwell famously said, "The enemy of art is the absence of limitations."

Last March, to combat widespread financial fraud, the Bank of Thailand announced a policy change: All Thai financial institutions must forgo email and SMS, and require facial recognition for any major actions from customers (e.g. opening a new account, adjusting a daily transfer limit, or initiating a transaction of more than 50,000 baht). They started enforcing this new rule, among others, beginning last July.

GoldPickaxe, the face scan-beating banking Trojan, first appeared in the wild just three months thereafter.

Built upon the foundations of a prior Trojan, "GoldDigger," GoldPickaxe was identified last November by Thailand's Banking Sector CERT, while disguised as "Digital Pension," a real app used by the elderly to receive pensions in digital format from Thailand's Comptroller General'. Under the guise of a government service, the fake app requires victims to scan their faces, upload their government ID cards, and submit their phone numbers.

Unlike some other banking trojans, GoldPickaxe doesn't operate as a layer on top of a real financial app, or automatically leverage the data it collects. Rather, as Thai police confirmed in November, it gathers all the information necessary for attackers to, later, glide past authentication checks and manually log into their victims' bank accounts.

Combatting Biometric Bank Trojans

That hackers were able to undermine Thailand's latest cyber policy upgrades so efficiently and so quickly does not surprise Newell.

"We are now operating on timescales that are much shorter than they were before. We see that more advanced tools come out every week. So I think we really need a massive shift in the banking industry, to acknowledge the fact that the rate of evolution of threats has changed. And that we need a different approach," he says.

Banks, he says, need to adjust. "If they have systems that they've put in place, you know, 12 months ago, 18 months ago, does that mean they're really able to handle the threats they're seeing now? If they're not, they need to find a different approach, quickly."

To conclude its report, Group-IB recommends banks implement sophisticated user session monitoring. And to bank customers, it advises: "avoid clicking on suspicious links, use official app stores to download applications, review the permissions of all apps, avoid adding unknown contacts, verify the legitimacy of bank communications, and act promptly if fraud is suspected by contacting your bank."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights