Zimperium identified a new GoldPickaxe variant targeting mobile banking users through phishing sites spoofing KuaiBo, with infections observed across five countries and 19 samples in the wild. The Trojan uses obfuscation, dynamic code loading, screen scraping, biometric theft, and C2-controlled overlays to steal credentials and exfiltrate sensitive data for GoldFactory. #GoldPickaxe #GoldFactory #KuaiBo #Zimperium #SessionInstaller #libnaLibso
Keypoints
- Zimperiumâs zLabs team detected a new GoldPickaxe mobile banking Trojan variant and stopped it using Zimperium Mobile Threat Defense.
- The campaign is attributed to GoldFactory and uses phishing websites spoofing the KuaiBo video streaming platform to lure victims.
- Telemetry found 19 unique samples affecting devices in Indonesia, Malaysia, the United States, Singapore, and Saudi Arabia.
- The malware targets mobile banking, e-wallet, and financial app users, with a strong focus on Southeast Asia and Indonesian banking applications.
- GoldPickaxe can steal lock screen credentials, SMS logs, contacts, call logs, biometric data, and device information, while also performing keylogging and screen capture.
- The Trojan uses Android SessionInstaller abuse, dynamic code loading, encrypted communication, manifest tampering, and hidden app icons to evade detection and persistence controls.
- Remote C2 commands enable fake overlays, screen sharing, camera capture, app enumeration, APK downloads, and credential theft through social engineering.
MITRE Techniques
- [T1660 ] Phishing â Threat actors used spoofed websites mimicking KuaiBo to trick users into downloading the malicious Dropper APK (âspoofed websites mimicking the Chinese video-streaming platform KuaiBoâ).
- [T1623 ] Command and Scripting Interpreter â The malware abused the Android SessionInstaller API to install the secondary payload while bypassing sideloading and accessibility restrictions (âabuses the legitimate Android SessionInstaller APIâ).
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers â The sample used system event triggers and background broadcast receivers to initialize or restart without direct user interaction (âensure the malware automatically initializes or restartsâ).
- [T1628.001 ] Hide Artifacts: Suppress Application Icon â The payload omitted MAIN and LAUNCHER intent filters so no home-screen icon appeared (âdeliberately excludes these conventional entry pointsâ).
- [T1406 ] Obfuscated Files or Information: Dynamic Code Loading â The malware hid logic in an encrypted payload_dex.bin file and loaded it at runtime using AES keys from local files (âdynamically loads it into memoryâ).
- [T1629 ] Impair Defenses â It malformed XML to crash JADX/Apktool and disabled facial recognition to force PIN fallback (âtrigger parsing failuresâ and âturn off native facial recognitionâ).
- [T1655 ] Masquerading â The threat used activity-alias redirects and fake overlays, including a fake Indonesian Ministry app and fake AppDialog prompts, to deceive victims (âmasquerade as an official Indonesian ministry applicationâ).
- [T1417.002 ] Input Capture: GUI Input Capture â A fake lock screen captured PINs, patterns, or passwords, while keylogging monitored input (âsteal the victimâs device unlock credentialsâ).
- [T1418 ] Software Discovery â The malware enumerated installed apps and extracted names, package names, and icons (âextracts the name, packageName, and icon from every applicationâ).
- [T1426 ] System Information Discovery â It collected device profiling data to adapt attack vectors (âleak information about the deviceâ).
- [T1636.004 ] Protected User Data: SMS Messages â The sample intercepted and exfiltrated SMS logs and incoming text messages (âexfiltrating sensitive SMS logsâ).
- [T1636.002 ] Protected User Data: Contacts List â It accessed and exfiltrated the victimâs contacts list (âcontact listsâ).
- [T1636.003 ] Protected User Data: Call Logs â It harvested and leaked call history logs (âLeak CallLogâ).
- [T1453 ] Abuse Accessibility Features â The malware used Accessibility Services to scrape live screen elements and send them to C2 in JSON (âleverage Androidâs Accessibility Servicesâ).
- [T1513 ] Screen Capture â The sample abused Media Projection to enable live screen sharing and UI visibility (âactivate screen sharingâ).
- [T1512 ] Video Capture â It hijacked the camera to record facial video during fake verification flows (ârecord a video of their faceâ).
- [T1521.001 ] Encrypted Channel â Network traffic was encrypted by libnaLib.so using AES and dynamic IVs (âencrypting all data exchanged with the C2 panelâ).
- [T1544 ] Ingress Tool Transfer â The malware processed remote C2 commands to download and deploy secondary APK payloads (âfetch and download secondary APK payloadsâ).
- [T1646 ] Exfiltration Over C2 Channel â Collected biometrics, ID photos, SMS tokens, and credentials were sent over the C2 channel (âtransmits all collected sensitive dataâ).
- [T1516 ] Input Injection â It injected payloads such as pattern-lock and login overlays to steal credentials (âmimics banking apps login screen through overlayâ).
Indicators of Compromise
- [Domains/URLs ] phishing and malicious infrastructure used to distribute and redirect victims â KuaiBo spoofing domain, malicious website specified by the C2 server
- [File names ] encrypted payload and key material used by the dropper/payload â payload_dex.bin, dex_IV.bin, dex_key.bin
- [File names ] native library used for C2 encryption â libnaLib.so
- [Android package/activity names ] legacy and redirected Android components used for masquerading â com.go.control.IdentityVerifyPhotoActivity, com.sup.hop.ui.activity.IdentityVerifyPhotoActivity, com.go.Permissions
- [Sample/application type ] malicious installer and second-stage payload referenced in the campaign â Dropper APK, payload application
- [Targeted app list ] embedded financial app targeting set used for profiling â 118 distinct banking applications