cross-posted from: https://lemmyf.uk/post/5813538
First ever iOS trojan discovered — and it’s stealing Face ID data to break into bank accounts
TLDR: Trojan can only be installed with an MDM setup, you should never enroll in random MDM profiles anyways. They started by using it in a TestFlight app, but Apple has since kicked them off.
the hackers used social engineering to persuade their victims into installing a Mobile Device Management (MDM) profile. For those unfamiliar, MDM is a methodology and set of tools used by a business’ IT department to manage company phones, computers and other devices. If a victim did fall for this new tactic, the end result was that the hackers now had complete control over their iPhone.
So when your IT person calls you up and asks you to install apps. Just say no.
While Android banking trojans are typically distributed through malicious apps and phishing attacks, getting a trojan onto an iPhone is a bit more difficult due to how Apple’s ecosystem is much more closed off than Google’s. Still, like they often do, hackers have found a way.
During the beginning of this malware campaign, the hackers behind it leveraged Apple’s mobile application testing platform TestFlight to distribute the GoldPixaxe.IOS trojan. It’s extremely difficult to get a malicious app onto Apple’s App Store but by abusing the iPhone maker’s TestFlight program, it is possible. This worked at the start of the campaign but once this malicious app was removed from TestFlight, the hackers behind this campaign had to come up with a more sophisticated means of distributing their iOS trojan.
With TestFlight access revoked, the hackers used social engineering to persuade their victims into installing a Mobile Device Management (MDM) profile. For those unfamiliar, MDM is a methodology and set of tools used by a business’ IT department to manage company phones, computers and other devices. If a victim did fall for this new tactic, the end result was that the hackers now had complete control over their iPhone.
Vietnam and Thailand only. Everyone else, don’t agree to sideload something prompted by a guy on the phone.
Ok, so not great, but not terrible.
Firstly you had to fall for social engineering to get the dodgy app via TestFlight. Later on, you had to fall for social engineering to get the dodgy app via you installing an MDM profile on your own device. In the future, you’ll doubtless be able to get socially engineered to sideload it.
Currently, in the UK (I don’t know what this is like in other countries), we get regular prompts from our banks not to share one-time codes with anyone, not even bank employees. And not to transfer money to ‘safe’ accounts, even if someone claiming to be the bank or the police tell you to. They’ll just need to update those to also say “We at Bank will never ask you to install test or special versions of our app, or update them anywhere other than the official Apple/Google app store”.
This is a social engineering problem, not really an iOS (or Android) technical one.
EDIT: The article is suspiciously vague one one point:
Once installed on either an iPhone or an Android phone, GoldPickaxe can collect facial recognition data, identity documents and intercepted text messages, all to make it easier to siphon off funds from banking and other financial apps. To make matters worse, this biometric data is then used to create AI deepfakes to impersonate victims and access their bank accounts.
What ‘facial recognition data’ is it gathering, and how? As I understand it, FaceID is processed in a secure enclave, and regular apps don’t have access to that - they send a ‘verify this person’ request, the phone itself triggers a FaceID scan, does the verification itself and sends back a ‘yes, all good’ reply to the app - the app itself does not get FaceID or biometric data. So unless it’s just doing something like using the camera to take some photos or videos of the user, I’d like to know what the article is talking about there…
Lazy journalism. The two variants showcases exactly how iOS is more secure and how much harder it is to get on the device as well as attempt to extract info.
Few quick points to answer questions outlined here:
- Android and iOS Variants behaves differently. Due to security measures (as outlined in this post itself) iOS variant cannot actually extract facial recognition data. Instead, it takes photos of user with prompts about shifting their face and blinking etc. The setup here is because Thailand’s central bank requires banks to perform facial recognition to withdraw larger sums of money. By stealing your face in multiple photos, they could build a deep fake of your face to be used in another device later.
- Due to the way security works on iOS, the iOS variant cannot exfiltrate SMS messages directly. There is simply no permission to do such. Instead, it tricks users into installing a SMS filtering extension “to prevent fraudulent SMS” — this allows attacker to read incoming SMS, but only from unknown numbers. The hopes here is that they could intercept your MFA received via SMS at a later date.
If anyone wants to do the full reading, it is available from Group-ib directly.
And yes, this further cements my thoughts about EU making a terrible move forcing Apple to enable side loading as it adds additional vectors for bad actors to get into a currently much more secure and harder to invade device.
If (when) this allows iOS Trojans through side loading you better believe that Apple will throw it all back at the EUs doorstep. I’m gonna howl how idiots thought it would make things “better”.
Of course many of those people that “want side loading” don’t give two craps about users. They just wanna see Apple knocked down a peg because of their sad little lives.
Wanna make things better in a way that gets my approval, kill all subscription models and just pay for genuine software updates that need to be justified through the new features they add.
Life hackers finds a way
