iOS, Android malware steals faces to defeat biometrics with AI swaps

Chinese hackers have developed a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which they’re then using to log into those victims’ bank accounts.

1 Min Read
iOS, Android malware steals faces to defeat biometrics with AI swaps

Chinese hackers have developed a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which they’re then using to log into those victims’ bank accounts.

The new malware, “GoldPickaxe,” was developed by a large (but unidentified) Chinese-language group. Its variants work across iOS and Android devices, masquerading as a government service app in order to trick primarily elderly victims into scanning their faces. The attackers then use those scans to develop deepfakes that can bypass cutting-edge biometric security checks at Southeast Asian banks.

In a new report, researchers from Group-IB identified at least one individual whom they believe to be an early victim: a Vietnamese citizen, who earlier this month lost around $40,000 dollars as a result of the ruse.

Diligent social engineering and powerful cross-platform malware aside, it seems to be highly effective for two reasons: because deepfake technology has caught up with biometric authentication mechanisms, and because most of us haven’t realized that yet.

“This is why we see face swaps are a tool of choice for hackers,” says Andrew Newell, chief scientific officer at iProov. “It gives the threat actor this incredible level of power and control.”

How Chinese Hackers Beat Thai Banks

As the novelist George Orwell famously said, “The enemy of art is the absence of limitations.”

Last March, to combat widespread financial fraud, the Bank of Thailand announced a policy change: All Thai financial institutions must forgo email and SMS, and require facial recognition for any major actions from customers (e.g. opening a new account, adjusting a daily transfer limit, or initiating a transaction of more than 50,000 baht). They started enforcing this new rule, among others, beginning last July.

To read the complete article, visit Dark Reading.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community