Threat Research

GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself

admin
GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself

Introduction

The Hi-Tech Crime Trends report by Group-IB highlights a growing cybercriminal focus on Apple devices due to their increasing popularity. This shift has led to a rise in malware targeting iOS and macOS, with the App Store becoming a frequent target for distributing malware. The introduction of third-party app stores under the EU’s Digital Markets Act is expected to further exploit this trend.

Discovery of GoldPickaxe

GoldPickaxe is an iOS Trojan, modified from the Android Trojan GoldDigger, designed to harvest facial recognition data. This Trojan marks a significant shift as cybercriminals adapt Android schemes to target iOS devices. The malware uses stolen data to impersonate users and access their bank accounts.

Importance of Analyzing iOS Malware

With the increasing use of smart technologies and IoT devices, understanding how to analyze iOS-related malware is crucial. Group-IB provides a guide for jailbreaking iOS devices to investigate and analyze apps, leveraging vulnerabilities like Checkm8 for thorough examination.

Checkm8 Vulnerability

The Checkm8 vulnerability, discovered in 2019, affects the bootloader of older Apple devices and cannot be fully fixed with software updates. While newer devices are protected, older models remain at risk, making it crucial to employ stringent security practices across all Apple products.

Jailbreaking iOS for Investigation

To analyze an iOS device, jailbreaking is necessary. Tools like Palera1n and Dopamine are used depending on the device’s processor and iOS version. Jailbreaking allows cybersecurity experts to inspect and extract apps for analysis.

Jailbreaking Process

  1. Preparation: Ensure the device can be jailbroken and download necessary tools (e.g., Palera1n).
  2. Execution: Run the jailbreak utility, follow prompts to enter DFU mode, and resolve any issues that arise.
  3. Post-Jailbreak: Install an app manager like Sileo, set up a standard password, and install analysis tools like Frida.
  4. App Extraction: Use tools like bagbak on a Linux-based machine to decrypt and extract iOS apps for analysis.

Conclusion

The increasing threat landscape for Apple devices underscores the need for thorough analysis of iOS malware. By understanding the process of jailbreaking and extracting applications, cybersecurity experts can better mitigate risks and protect against sophisticated threats like the GoldPickaxe Trojan.

Full Story : https://www.group-ib.com/blog/goldpickaxe-ios-trojan/

Tags: APT, TOOL, IOT, BACKUP, CLOUD, SPYWARE, LEARN, ZERO-DAY