GoldPickaxe, believed to be one of the first malware programs to thrive in the iOS environment, is linked to the GoldDigger Trojan reported by cybersecurity firm Group-IB last year.
In a warning issued in February, the Information Security Authority of Vietnam’s Ministry of Information and Communications said a user in Hanoi had been tricked into installing a counterfeit public service app.
The software requested a video clip to verify identity, and the next day, shares in the user’s account were sold and billions of dong were sent elsewhere.
Group-IB said the case could be a sign that GoldPickaxe is targeting Vietnamese users.
At an Asian Banking and Finance conference in HCMC in March, several organizations expressed deep concerns about GoldPickaxe.
Troy Le, representative of cybersecurity tool BShield, said the Trojan is dangerous because it thrives on both iOS and Android and is capable of collecting people’s biometric data.
For Thailand, which has successfully applied biometric security measures for major transactions, GoldPickaxe could become a major new challenge, he said.
Hackers first attempt to install the Trojan on users’ devices through social engineering, which refers to the use of deception to manipulate individuals into disclosing confidential or personal information .
In the case of the Hanoi victim, they posed as authority figures to trick users into installing counterfeit apps.
In Thailand, a common method is to pretend that the Trojan is an application that helps pay taxes and electricity bills.
On Android devices, the Trojan can be installed via a simple apk file. In the case of iOS, hackers take advantage of Apple’s TestFlight or persuade users to install mobile device management tools to take control of the device.
Once installed, GoldPickaxe enables functions such as blocking SMS filters and Internet access, and asks users to verify their identity with personal documents as well as video footage.
The data from the video is transferred back to the hacker and becomes an element of fraud using deepfake and AI.
Troy Le said the Trojan silently collects user data, including facial recognition data and IP addresses, to trick services into thinking they are interacting with the real user.
“With such data, hackers do not need to carry out illegal transactions directly from victims’ phones. Instead, they collect all the information needed to access their banking apps from another device.”
The Information Security Authority recommends users not to provide their personal data or install applications of unclear origin to ward off attacks.
However, because attack methods are constantly evolving, many people can become victims even if they are vigilant.
As a security developer, Troy Le said banks and financial institutions should be proactive in preventing such risks for their customers.
He said several platforms and services still have vulnerabilities, allowing hackers to bypass protection and take control of victims’ accounts.
“Banking and financial applications are always the first targets for hackers. They must therefore build protection mechanisms themselves for their customers and their own services.”
