An Android trojan called GoldDigger surfaced last year that can steal biometric data and more from victims to compromise their bank accounts. Now the threat has evolved into the GoldPickaxe trojan that can infect iOS and Android. Fortunately, there are several simple ways to protect against the first iPhone trojan, here’s what you should know.
Update 5/14/24: Apple has released iOS 17.5 to the public with 15 security fixes, but as it happens, no mention of or patch for the GoldPickaxe iOS trojan.
Update 3/11/24: Following the discovery of the first iOS trojan in February, Apple has released iOS 17.4 which comes with over 40 security fixes. However, GoldPickaxe was not one of the patched flaws.
We’re keeping an eye out to see if protection could come with a rapid security response update or another release.
Table of contents
iPhone trojan background
GoldPickaxe was discovered by security firm Group-IB which believes it is the world’s first iOS trojan.
When installed on an iPhone, the malware can collect a user’s biometric information from photos, SMS text messages, intercept web activity, and more. In some cases, victims are contacted by malicious parties posing as bank representatives asking for information like pictures of ID cards.
With AI-based tools, the threat actors can then hack a user’s bank account.
Who’s being targeted?
For now, the GoldPickaxe iPhone trojan has been targeting users in Vietnam and Thailand (by mimicking more than 50 apps from financial institutions).
However, Group-IB says that the GoldPickaxe iOS/Android trojan and the previous GoldDigger and GoldKefu trojans “are in the active stage of evolution” so it’s important to remain vigilant.
How is it distributed?
While the iPhone trojan was first found distributed through the iOS TestFlight beta testing system, Apple was able to shut that down (at least for now).
However, the latest evolution has been GoldPickaxe being distributed through malicious iOS mobile device management (MDM) profiles.
Top comment by JustNeedItForDev
Most of you parental apps out there leverage MDM to enforce policies. Users should be ware of Parental apps that use MDM to begin with, but now there is even more reason to steer clear.
But as the threat evolves, distribution mechanisms may change or increase.
How to protect against iPhone trojan ‘GoldPickaxe’
- Don’t install an iPhone app through Apple’s TestFlight unless you fully trust the developer and can verify it is legitimate
- Install apps through the App Store, and even then, it’s best to verify the developer to make sure it is what you think it is
- Don’t install an iPhone MDM profile unless you fully trust the source and can verify it’s legitimate (e.g. comes directly from your IT administrator, place of work, trusted institution or developer, etc.)
- As mentioned by 9to5Mac reader JustNeedItForDev in the comments, most third-party parental control apps work through an MDM policy, so be cautious when deciding whether or not to use one
- Don’t share personal/sensitive information (including photos of yourself or ID cards) through phone calls, video calls, or other communication if a party reaches out to you
- If you have concerns about a financial account, log in directly at the bank/institution’s website to check into the situation – don’t call numbers or click links that were sent to you
- Keep your iPhone updated with the latest software from Apple – that now includes Rapid Security Response updates that arrive in between regular releases
- Stay tuned to 9to5Mac as we always report as soon as iPhone updates go live
For a detailed look at how GoldPickaxe works, check out the full post from Group-IB.
More Apple security news:
- How to turn on iPhone Stolen Device Protection; and should you?
- Security Bite: Use these iPhone privacy and security features in iOS 17.3, more
- Bug bounty hunter gives rare peek at Apple’s special research iPhone for security experts
Images by 9to5Mac
FTC: We use income earning auto affiliate links. More.
Comments