While not impenetrable, Apple’s iPhone seems like a safe haven compared to the minefields that are Android and Windows. Unfortunately, malware is picking up pace after a cybersecurity company identified an iOS Trojan that puts your data at risk.
Spotted by Singapore-based cybersecurity firm Group-IB, the virus is one of, if not the first Trojans for iOS. Dubbed GoldPickaxe, the attack harvests biometric data such as facial recognition. It’s less an act of controlling your device and more to gain access to sensitive apps, such as banking.
If you’re wondering how it works, the malware disguises itself as government service apps. Once you open it up, it then requests you take a photo of yourself for ID. These apps aren’t available in official stores for obvious reasons. Instead, perpetrators must trick unsuspecting users into downloading elsewhere, then grant it full permissions via Apple’s TestFlight or Mobile Device Management profiles.
GoldPickaxe is most prevalent in the Asia Pacific region, with an emphasis on Thailand. There’s evidence that operations extend beyond one country, however, with at least one case in Vietnam. Southeast Asia banks and government agencies are fast adopting biometrics as a method of signing in, so this could continue growing.
Chinese hacking group GoldFactory is suspected to be behind the malicious activity, hence the name. The telltale sign is Chinese characters throughout all the malware variants, including past Trojans.
You might think that facial recognition is more secure than passwords, but that’s an easy mistake to make. Granted, iPhones have some of the best facial scanning tech on handhelds, but it’s still overly permissive since attackers only need an image of your face in a 3D environment. This will only become more of a headache as AI improves.
Instead, facial recognition is more about ease of use than security. It could work well as a layer of multi-factor authentication but not as your first and only line of defence. I’d recommend using a password manager instead. This lets you have a different login per app, so if one’s compromised, the damage is isolated. You can also change a password easily enough while your face is still your face.
