First ever iOS trojan discovered — and it’s stealing facial recognition data to break into bank accounts

iPhone 15 Pro Max shown in hand
(Image credit: Tom's Guide)

One of the reasons many people pick one of the best iPhones over their Android counterparts is due to security. However, that could be changing as the first ever banking trojan designed to target iPhone users has been spotted in the wild.

According to a new report from Group-IB, the Android trojan GoldDigger has now been modified with new capabilities that make it easier for this malware to drain victims’ bank accounts. First discovered last October, the trojan's new variation has been dubbed GoldPickaxe, with versions specifically designed for both Android and iOS devices.

Once installed on either an iPhone or an Android phone, GoldPickaxe can collect facial recognition data, identity documents and intercepted text messages, all to make it easier to siphon off funds from banking and other financial apps. To make matters worse, this biometric data is then used to create AI deepfakes to impersonate victims and access their bank accounts.

It’s worth noting that at the moment, the GoldPickaxe trojan is only being used to target victims in Vietnam and Thailand. However, as with with other malware campaigns, if this one proves successful, the cybercriminals behind it could expand their operations to target both iPhone and Android users in the U.S., Canada and other English-speaking countries.

Whether you have an iPhone or an Android, here’s what you need to know about this new banking trojan along with some tips to help keep iPhone users safe, as they likely haven’t dealt with a threat like this before.

Correction: We have updated the headline of this story to reflect that facial recognition data had been collected and not Face ID data.

From TestFlight to Mobile Device Management

While Android banking trojans are typically distributed through malicious apps and phishing attacks, getting a trojan onto an iPhone is a bit more difficult due to how Apple’s ecosystem is much more closed off than Google’s. Still, like they often do, hackers have found a way.

During the beginning of this malware campaign, the hackers behind it leveraged Apple’s mobile application testing platform TestFlight to distribute the GoldPixaxe.IOS trojan. It’s extremely difficult to get a malicious app onto Apple’s App Store but by abusing the iPhone maker’s TestFlight program, it is possible. This worked at the start of the campaign but once this malicious app was removed from TestFlight, the hackers behind this campaign had to come up with a more sophisticated means of distributing their iOS trojan.

With TestFlight access revoked, the hackers used social engineering to persuade their victims into installing a Mobile Device Management (MDM) profile. For those unfamiliar, MDM is a methodology and set of tools used by a business’ IT department to manage company phones, computers and other devices. If a victim did fall for this new tactic, the end result was that the hackers now had complete control over their iPhone.

According to Group-IB, a single threat actor with the codename GoldFactory is responsible for developing both versions of the GoldPickaxe banking trojan. However, after publishing their initial research, the firm’s security researchers also discovered a new variant of the malware named GoldDiggerPlus. Unlike with the best streaming services, though, the "plus" here indicates that the malware now offers the ability for hackers to call their victims in real time on an infected device.

Given how profitable a banking trojan like GoldDigger or GoldPickaxe can be — especially when it can target iPhones as well as Android phones — this likely isn’t the last we’ll hear about this malware or the hackers behind it.

How to keep your iPhone safe from malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

So what do you do now given the fact that your iPhone can come down with a nasty malware infection just like an Android phone can? Fortunately, Apple is likely already aware of this trojan and is working on a fix. In the meantime, here are some additional tips to help keep you and your devices protected.

For starters, don’t install any apps through TestFlight. This is easy enough to avoid as you first have to download TestFlight before you can install any non-vetted apps on your iPhone, according to this support document from Apple. Very few people personally know an app developer that may want their help, so if someone asks you to install TestFlight onto your iPhone or iPad, just don’t. The same goes for adding a MDM profile to your iPhone. Your employer is the only one that should be asking you to do this and that’s only if you have a company-issued iPhone.

While there isn’t an equivalent of the best Android antivirus apps for iOS due to Apple’s own restrictions around malware scanning apps, there is a workaround. With Intego Mac Internet Security X9 or Intego Mac Premium Bundle X9 — two of the best Mac antivirus software solutions — you can scan an iPhone or iPad for malware but only when it’s connected to a Mac via a USB cable. If you’re really worried about malware on your iPhone, this feature alone could make signing up for either product worth it.

For those who are at more risk than other iPhone users, enabling Lockdown Mode might be a good idea. It’s worth noting that this feature does limit the functionality of some apps. At the same time, you should also consider enabling Apple’s Stolen Device Protection, as this can give you peace of mind when it comes to having your iPhone stolen in person.

iPhone malware is now a reality but if you practice good cyber hygiene and don’t take unnecessary risks, you and your devices should be safe from hackers.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.