GoldPickaxe¶
GoldPickaxe is an Android and iOS banking trojan from the GoldFactory threat group, a Chinese-speaking cybercrime operation that develops the broader GoldDigger malware family. First observed in 2024 as an evolution of the GoldDigger trojan (2023), GoldPickaxe introduced a novel biometric theft technique: it tricks victims into recording facial videos that are then used to create deepfake content capable of bypassing bank face-verification systems. With variants targeting both Android and iOS, cross-platform reach across Southeast Asia and expanding into Latin America and South Africa, GoldPickaxe represents a significant escalation in mobile banking fraud capabilities.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2023 (GoldDigger), 2024 (GoldPickaxe) |
| Status | Active |
| Type | Banking trojan, biometric stealer |
| Aliases | GoldDigger (predecessor), GoldDiggerPlus (Android sibling) |
| Attribution | GoldFactory group (Chinese-speaking threat actors) |
| Distribution | Localized apps, social engineering, smishing |
Origin and Lineage¶
The GoldFactory threat group is a Chinese-speaking cybercrime operation responsible for a family of Android banking trojans targeting Southeast Asian financial institutions. The lineage begins with GoldDigger, first documented in 2023 as a banking trojan targeting Vietnamese users.
GoldDigger (2023): The original family member, an Android banking trojan targeting Vietnamese banks through overlay attacks and accessibility service abuse. GoldDigger established the group's operational model of targeting Southeast Asian markets with highly localized lures.
GoldDiggerPlus (2023-2024): An enhanced Android variant that expanded the capability set beyond the original GoldDigger. It added real-time voice communication with victims through operator-initiated calls, allowing social engineering during active device compromise.
GoldPickaxe (2024): The most technically advanced variant, introducing biometric data theft as a core capability. GoldPickaxe collects facial video recordings from victims, which operators use to generate deepfake content that bypasses facial recognition verification at banks. Notably, GoldPickaxe includes both Android and iOS variants, making it one of the few mobile banking trojan families with true cross-platform reach.
The ESET H1 2024 Threat Report references the family under the "GoldDigger/GoldFactory" designation, tracking its evolution and expanding geographic scope.
Distribution¶
| Vector | Details |
|---|---|
| Localized apps | Malicious apps disguised as local government or utility services |
| Social engineering | Victims contacted directly and guided to install apps |
| Smishing | SMS messages directing victims to download pages |
| iOS profiles | Enterprise or MDM profiles used to sideload iOS variants |
GoldPickaxe distribution relies heavily on social engineering tailored to specific markets. In Thailand, lures impersonate government services such as the Digital Pension app. In Vietnam, distribution uses local utility and banking app impersonations. The operators contact victims directly through messaging platforms, posing as government officials or bank representatives, and guide them through the installation process.
The iOS distribution is particularly notable. Since iOS does not allow sideloading in the same way Android does, the operators use enterprise distribution profiles or mobile device management (MDM) configurations to install the malicious app outside the App Store. Victims are socially engineered into accepting the profile installation, which then enables the trojan deployment.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Facial biometric theft | Prompts victim to record facial video, exfiltrates for deepfake creation |
| Identity document theft | Captures photos of government-issued ID documents |
| SMS interception | Reads and exfiltrates SMS messages for OTP and 2FA bypass |
| Overlay attacks | WebView-based inject screens for credential harvesting |
| Device information collection | Harvests device model, phone number, and installed apps |
| Proxy traffic | Routes traffic through victim device to mask operator's origin |
Biometric Theft and Deepfake Bypass¶
GoldPickaxe's signature capability is its approach to defeating facial recognition verification. Many Southeast Asian banks, particularly in Thailand and Vietnam, have implemented face-verification systems that require customers to record a short video of their face when initiating high-value transactions or account changes. GoldPickaxe exploits this by:
- Displaying a convincing prompt within the malicious app requesting the victim to record a facial video, framed as an identity verification step
- Capturing the recorded video and exfiltrating it to the operator's infrastructure
- Using AI-powered face-swapping tools to generate deepfake videos from the stolen biometric data
- Presenting the deepfake video to the bank's face-verification system to authorize fraudulent transactions
This technique is fundamentally different from how other banking trojans like Chameleon interact with biometric security. Chameleon disables biometric authentication on the device (forcing a fallback to PIN or password, which it captures through keylogging), while GoldPickaxe steals the biometric data itself and uses it to impersonate the victim at the bank's verification layer. The distinction is between bypassing biometric checks locally versus defeating them at the server side through stolen biometric material.
Identity Document Theft¶
Beyond facial biometrics, GoldPickaxe also prompts victims to photograph their government-issued ID documents. Combined with the facial video, this gives operators a comprehensive identity package: a face video for deepfake generation, document photos for identity verification questions, and personal details extracted from the documents.
Technical Details¶
Cross-Platform Architecture¶
GoldPickaxe is one of the rare mobile banking trojan families with functional variants on both Android and iOS:
| Platform | Distribution Method | Key Differences |
|---|---|---|
| Android | Sideloaded APKs, localized app stores | Full feature set including accessibility service abuse |
| iOS | Enterprise profiles, MDM configurations, TestFlight (initially) | More limited due to iOS restrictions, focused on biometric and document theft |
The iOS variant was initially distributed through Apple's TestFlight beta testing platform before Apple removed it. The operators then shifted to enterprise distribution profiles and MDM-based installation.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Localized targeting | Highly regional lures make samples harder to discover outside target geographies |
| Social engineering dependency | Installation requires active victim participation, limiting automated sandbox detection |
| Enterprise profile abuse | iOS distribution through profiles rather than App Store avoids standard app review |
Target Regions¶
| Period | Primary Targets |
|---|---|
| 2023 | Vietnam (GoldDigger) |
| 2023-2024 | Vietnam, Thailand (GoldDiggerPlus, GoldPickaxe) |
| 2024 | Expanded to Latin America, South Africa |
The initial focus on Vietnamese and Thai banking users reflects the group's expertise in Southeast Asian markets. The adoption of facial verification by banks in these countries created the specific opportunity that GoldPickaxe was designed to exploit. Expansion into Latin America and South Africa follows the trend of successful mobile banking trojan operations extending beyond their initial geographic focus once the tooling matures.
Notable Campaigns¶
2023: GoldDigger campaigns targeted Vietnamese banking users through localized app lures, establishing the GoldFactory group's operational footprint in Southeast Asia.
Early 2024: GoldPickaxe emerged with facial biometric theft capabilities targeting Thai and Vietnamese banks. The iOS variant was distributed through TestFlight before Apple intervened, after which operators pivoted to enterprise profile distribution.
Mid-2024: The ESET H1 2024 Threat Report documented the GoldDigger/GoldFactory family's evolution and expanding scope, noting the biometric theft technique as a significant development in mobile banking fraud.
Late 2024: Campaigns expanded beyond Southeast Asia into Latin American and South African markets, targeting banking customers in regions where facial verification is gaining adoption.
Related Families¶
| Family | Relationship |
|---|---|
| GoldDigger | Direct predecessor within the GoldFactory family. Android banking trojan targeting Vietnamese banks, lacking biometric theft capability. |
| GoldDiggerPlus | Android sibling variant with enhanced features including real-time voice communication with victims during active compromise. |
| Chameleon | Both families interact with biometric security, but through opposite approaches. Chameleon disables biometric authentication locally to force PIN/password fallback. GoldPickaxe steals biometric data to defeat server-side face verification through deepfakes. |