Suspected Chinese hackers are stealing facial recognition data and using it to access bank accounts in Southeast Asia, researchers have found.
The sophisticated campaign is being carried out by a group dubbed GoldFactory by researchers with the cybersecurity firm Group-IB. In October 2023, the firm first described an Android-based trojan, called GoldDigger, being used to access accounts at more than 50 Vietnamese banks.
The new activity observed by researchers is an extension of that campaign but with highly unusual additions, like the use of facial recognition data harvested from victims.
The researchers found the group deploying four trojans — pieces of malware that disguise themselves as legitimate code — including one called GoldPickaxe that was first spread through Apple’s application testing platform TestFlight. Whenever it was removed from the platform, the hackers switched to a social engineering scheme to get victims to install a Mobile Device Management (MDM) profile, which allows third parties to control a device remotely.
The hackers engaged victims by pretending to be from government agencies. In Thailand, users were prompted to download a “Digital Pension” application, which purportedly would allow them to receive their pension online. In other cases, the hackers sent notices related to utility bills that asked a user to click on a malicious URL.
In order to set up the applications, victims were prompted to record a video for facial recognition purposes, which was “then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services,” Singapore-based Group-IB said.
