iOS Banking Trojan Steals Faces: GoldPickaxe Uses Deepfake Videos to Bypass Mobile App Security

Aegiron 12 mins0

Incident Overview: GoldPickaxe iOS Malware Campaign

What happened

In late January, a new mobile malware campaign was identified targeting iOS users in Southeast Asia, primarily individuals who actively use mobile banking and digital identity verification apps. The malware family, now commonly referred to as GoldPickaxe, represents a shift in mobile threats because it focuses on stealing biometric data (facial video) rather than only credentials or one-time passwords.

Victims were tricked into installing what appeared to be legitimate apps related to government services, banking support, or identity verification. Once installed, the malware guided users to record a short video of their face, often under the pretext of “identity verification” or “account protection.” That facial data was later abused to create AI-generated deepfake videos, which attackers used to bypass facial recognition checks in banking applications.

This incident did not involve a mass exploit of iOS itself. Instead, it relied heavily on social engineering, abuse of trusted Apple features, and user permission misuse.

What GoldPickaxe is

GoldPickaxe is a mobile Trojan designed for financial fraud. Unlike traditional banking malware that focuses on stealing passwords, SMS codes, or session cookies, this malware is built around biometric identity theft.

Its core objectives are:

  • Collect facial biometric data (video, not just images)
  • Steal personally identifiable information (PII) such as ID documents
  • Harvest SMS messages and device metadata
  • Enable account takeover of banking and financial apps
  • Support deepfake-based authentication bypass

The malware has been observed in both Android and iOS variants, but the iOS version is notable because of Apple’s normally restrictive security model.

Who was impacted

Primary targets

  • Mobile banking users
  • Digital wallet users
  • Users of apps that rely on face-based identity verification
  • Individuals receiving government aid or financial services via mobile apps

Geographic focus

  • Southeast Asia (notably Thailand and Vietnam)
  • The campaign design suggests it could be repurposed for other regions with minimal changes

Type of impact

  • Unauthorized access to banking applications
  • Fraudulent transactions
  • Identity theft using government-issued IDs
  • Long-term biometric compromise (faces cannot be “reset” like passwords)

How the attack worked

1. Initial access vector

There was no iOS zero-day exploit involved.

The attackers relied on social engineering and trusted Apple mechanisms, including:

  • Phishing messages (SMS, chat apps, email)
  • Fake support messages claiming account issues
  • Links to “official” apps hosted outside the App Store
  • Abuse of:
    • Apple TestFlight
    • Mobile Device Management (MDM) profiles

Victims were instructed to:

  • Install a test version of an app
  • Approve a configuration profile
  • Trust the developer manually in iOS settings

Once this step was completed, the attackers effectively bypassed App Store scrutiny.

2. Installation and permissions abuse

After installation, the app requested permissions that appeared reasonable for its fake purpose, including:

  • Camera access
  • Microphone access
  • Photo library access
  • SMS access (where applicable)
  • Network access

Because the app claimed to perform identity verification, users were more likely to approve these requests.

3. Social engineering inside the app

The malware did not immediately behave maliciously.

Instead, it:

  • Displayed professional-looking interfaces
  • Used official logos and terminology
  • Claimed compliance checks or security upgrades

At a later stage, users were prompted to:

  • Upload photos of government-issued ID
  • Record a short facial video
    • Often with instructions like blinking, smiling, or turning the head

This was presented as a standard “liveness check.”

4. Data exfiltration

Once collected, the following data was silently transmitted to attacker-controlled servers:

  • Facial video recordings
  • ID document images
  • Device identifiers
  • Phone number
  • SMS messages (including OTPs)
  • App usage and device metadata

The communication was typically encrypted or obfuscated to blend in with legitimate HTTPS traffic.

5. Abuse of stolen biometric data

The attackers used the facial videos to:

  • Train or feed deepfake generation systems
  • Produce realistic videos capable of passing facial recognition
  • Bypass:
    • Banking app facial checks
    • Remote identity verification systems
    • Customer support verification workflows

This enabled full account takeover, even when passwords or OTPs alone would not have been sufficient.

Payloads and capabilities

GoldPickaxe is modular, meaning its behavior can be adjusted based on the target.

Known payload functions include:

  • Camera capture (video-focused)
  • Image capture (ID documents)
  • SMS interception
  • Clipboard monitoring
  • Device fingerprinting
  • Command-and-control (C2) communication
  • Configuration updates from the server

There was no destructive payload (no wiping, no ransomware). The goal was stealthy financial exploitation.

Vulnerabilities exploited

No traditional software vulnerability

  • No iOS kernel exploit
  • No sandbox escape
  • No privilege escalation vulnerability

What was exploited instead

  • User trust
  • Lack of awareness around TestFlight and MDM risks
  • Overreliance on facial biometrics as a single authentication factor
  • Weak detection of deepfake-based identity fraud by financial apps

Why this attack matters

This incident shows a fundamental shift in cybercrime:

  • Biometrics are now being treated as stealable assets
  • Deepfake technology is operational, not theoretical
  • Mobile ecosystems are vulnerable through human behavior, not just code flaws

Once a face is compromised, it can be reused across:

  • Multiple banks
  • Government services
  • Identity verification platforms

This makes the impact long-term and difficult to remediate.

Indicators of Compromise (IOCs)

Device-level indicators

  • Presence of unknown configuration profiles
  • MDM installed without corporate enrollment
  • Apps installed outside the App Store without clear origin
  • Camera access by apps that do not clearly require it
  • Unexpected prompts for facial video recording

Network indicators

  • Repeated outbound HTTPS connections to unknown domains
  • Traffic spikes immediately after camera usage
  • Connections occurring even when the app is idle

User behavior indicators

  • Requests for identity re-verification without prior trigger
  • Banking app reauthentication requests shortly after face capture
  • Unauthorized transactions despite successful biometric checks

Detection and threat hunting guidance

On mobile devices

  • Audit installed profiles and remove untrusted MDM configurations
  • Review app permissions regularly, especially camera and microphone
  • Monitor TestFlight usage and revoke unused test apps

For financial institutions

  • Flag facial authentication attempts from new devices after recent face capture
  • Correlate facial login attempts with:
    • Device changes
    • IP geolocation anomalies
  • Detect repeated failed liveness checks followed by success

Behavioral detection ideas

  • Facial authentication occurring shortly after identity document upload
  • Multiple identity verification attempts across different accounts using similar facial patterns
  • Banking logins without normal user interaction patterns (navigation speed, gesture behavior)

Detection logic

Use case: Suspicious biometric login

Trigger alert if:

  • Facial authentication is successful
  • Device was newly registered within the last 48 hours
  • Identity documents were uploaded recently
  • Login IP or device fingerprint differs from historical baseline

Severity: High
Response: Step-up authentication + manual review

Mitigation and prevention

For users

  • Do not install apps via links sent through messages
  • Avoid installing configuration profiles unless required by an employer
  • Treat face recording requests with extreme caution

For organizations

  • Do not rely on facial biometrics alone
  • Add behavioral and device-based signals
  • Implement deepfake detection where possible
  • Educate users about biometric fraud risks

Final assessment

GoldPickaxe is not just another banking Trojan. It represents a new class of biometric exploitation malware. The technical sophistication lies less in exploiting software flaws and more in combining social engineering, mobile trust abuse, and AI-driven fraud.

This campaign highlights that biometric authentication is only as strong as the systems around it — and that human trust remains one of the most exploitable attack surfaces.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.