GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself

Keypoints

• Group-IB reports a shift in cybercrime focus toward Apple devices, with iOS/macOS malware increasing and App Store distribution rising in prominence.
• Third-party app stores under the EU Digital Markets Act are expected to amplify the risk of malware spreading to iOS devices.
• GoldPickaxe is an iOS Trojan, derived from the Android GoldDigger, designed to harvest facial recognition data to impersonate users and access bank accounts.
• The article emphasizes the importance of analyzing iOS malware and suggests jailbreaking as a method to inspect apps and study vulnerabilities.
• Checkm8 is a bootloader vulnerability affecting older Apple devices that cannot be fully fixed by software updates, underscoring persistent risk on older models.
• Jailbreaking workflows are outlined (Preparation, Execution, Post-Jailbreak, App Extraction) with tools like Palera1n, Dopamine, Sileo, Frida, and bagbak used for analysis.
• The conclusion calls for thorough analysis of iOS threats to better mitigate risks and protect against sophisticated threats like GoldPickaxe.