The First iOS Trojan is a Gold Digger Stealing Facial Recognition Data





group looking at phones

Group-IB found the first iOS Trojan, a piece of malware that steals your facial recognition data for malicious purposes like accessing bank accounts. 

It stems from a previously unknown Android trojan that targeted more than 50 financial institutions in Vietnam last October, which Group-IB also uncovered and dubbed GoldDigger. The group has since found clusters of aggressive banking Trojans targeting the Asia-Pacific region. 

This is of particular concern as the Bank of Thailand required banks to use facial biometric verification to confirm the identity of a person before approving transactions, transferfing money, or raising limits for credit transfers on mobile devices as of March 2023. The State Bank of Vietnam has plans to require facial authentication for all money transfers starting in April 2024.

One of the Trojans, GoldPickaxe.iOS, shows the GoldDigger malware has jumped from Android to iOS, a first for the technology. It originates from the same family as GoldDigger, which launched last June. GoldDiggerPlus and GoldKefu emerged in September, and GoldPickaxe launched for Android and iOS in October.

This is a particularly sneaky malware that can evolve its capabilities and avoid detection. It collects facial recognition data and identifying information. It can also intercept SMS, meaning infected phones harvest a user’s personal information and confirmation texts to approve login requests and account changes. The facial recognition data can aid malicious actors in creating deepfakes with AI-powered face-swapping tech to exploit a person’s information.

The Trojan was found on Apple’s mobile app testing platform, TestFlight, but was removed from the platform. The malicious actor, nicknamed GoldFactory by Group-IB, then conducted a “multi-stage social engineering scheme” and convinced users to install a Mobile Device Management profile, which gave the malware complete control of the device. It’s thought that GoldFactory may be operated by a cybercrime group with ties to Gigabud, another malicious group.

For now, Group-IB warns iOS users in Vietnam and Thailand to be wary and to change passwords everywhere if they doubt the authenticity of any downloads. But the group also warns users the malware might have already spread to other regions. A new variant, GoldDiggerPlus, was found, which lets the threat actors call their targets and realistically pretend to be a legitimate customer service center.

Be cautious of any downloads you come across. Be sure to change your security questions and passwords regularly without recycling them. If someone calls you claiming to be a representative for any company, hang up and find the legit number listed for the business, then call back to avoid speaking to any dubious contacts.

Disclaimer: To address the growing use of ad blockers we now use affiliate links to sites like, streaming services, and others. Affiliate links help sites like Cord Cutters News, stay open. Affiliate links cost you nothing but help me support my family. We do not allow paid reviews on this site. As an Amazon Associate I earn from qualifying purchases.

Subscribe to Our Newsletter

* indicates required

Please select all the ways you would like to hear from :

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp’s privacy practices here.