Communication Encryption
At a glance
| Malware family | GoldPickaxe (Android banking Trojan, GoldDigger suite) |
| Threat actor | GoldFactory (confirmed by Zimperium; Chinese-speaking crime group) |
| Target / victims | Mobile banking, e-wallet, and finance app users; focus on Southeast Asia |
| Delivery vector | Phishing sites spoofing the KuaiBo streaming app; dropper APK |
| Key capabilities | Biometric and face theft, lock-screen credential theft, SMS and contact exfiltration, keylogging, remote control |
| Source | Zimperium zLabs |
TL;DR
The GoldPickaxe banking Trojan is back, and it hunts your face. Zimperium’s zLabs team found a new Android variant that steals biometric data, bank logins, and text messages. It targets financial app users, mostly across Southeast Asia.
Confirmed attribution
Zimperium attributes the campaign to GoldFactory. This Chinese-speaking crime group is well known from earlier work by Group-IB, which first exposed GoldPickaxe in 2024. So the attribution here is confirmed, not suspected.
Delivery
The attack starts with a fake website. It spoofs KuaiBo, a Chinese video-streaming app, and offers a free Android download. Victims then install a dropper app that looks harmless. That dropper carries little malicious code at first, which helps it slip past scanners.
Infection chain
Next, the dropper abuses Android’s SessionInstaller API to add a second app. That payload hides its real logic in an encrypted file, then decrypts and loads it in memory. It also skips the home-screen icon, so victims struggle to find and remove it.
The malware even breaks analysis tools. It malforms its manifest to crash JADX and Apktool. As a result, researchers cannot read its permissions or services through normal methods.
What GoldPickaxe steals
Once active, the Trojan grabs almost everything. It records the victim’s face on video and prompts them to upload an ID card. Zimperium warns the stolen face data can defeat the e-KYC checks that banks use.
The list runs long. As the report notes, “The malware is engineered to harvest lock screen credentials and exfiltrate sensitive SMS logs, contact lists, and critical biometric data.” It also logs keystrokes, captures the screen, and shows fake overlays. Crucially, “the Trojan can inject unauthorized text and simulate user gestures,” which grants near-total remote control.
This sample zeroes in on Indonesia. Per the report, “the embedded target list contains 118 distinct banking applications.”
Command-and-control and data theft
GoldPickaxe hides its network traffic well. A native library encrypts every message to the C2 server with AES. It also builds a fresh key for each request from a timestamp, which defeats simple signature rules. On command, the malware can fetch and install extra apps too.
Scale and spread
The campaign reaches beyond one country. According to Zimperium, “our telemetry identified 19 unique samples in the wild, impacting devices across 5 different countries: Indonesia, Malaysia, United States, Singapore and Saudi Arabia.”
How to defend against the GoldPickaxe banking Trojan
Install apps only from official stores. Treat any “free streaming” download as a red flag. Never upload your ID or record your face for an app you sideloaded.
Businesses should run mobile threat defense, since signature-only tools miss this threat. Also add authentication that does not rely on biometrics alone.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.