Upgraded versions of sophisticated mobile trojans from the GoldFactory family, dubbed GoldPickaxe, have emerged targeting victims in Thailand and Vietnam. Apart from usual trojan capabilities, such as eavesdropping on passwords and SMS from the victim's phone, GoldPickaxe now goes after users' faces.
The trojans are masqueraded as official government apps, which use facial scans for authentication. Upon opening, users are prompted to do a facial scan along with a photo of their ID card. These collected data then allow attackers to log into victims' official government and online banking apps.
The malicious apps are hosted on websites imitating Google Play Store or Apple App Store and are installed by abusing app testing channels and tools. The user is first tricked by social engineering into downloading the malicious package and allowing access to its installation.
Domain-based security can help mitigate the risk by blocking the fraudulent links in phishing and smishing campaigns that would lead users to fake app stores. Protective DNS, such as the one provided by Whalebone, can also disrupt the C&C communication of the app once it’s installed, preventing data exfiltration.