The zLabs research team recently detected a new variant of the GoldPickaxe mobile banking Trojan actively targeting customer environments, which were identified and stopped by Zimperium's Mobile Threat Defense (MTD) platform. MTD triggered a high-severity alert when a user attempted to navigate to malicious phishing infrastructure to download the compromised application. Organizations that rely only on conventional signature-based detection should take immediate steps to identify whether attackers have compromised their mobile fleet.
This threat campaign is attributed to GoldFactory, a sophisticated cybercrime group operating extensively within the Asia-Pacific (APAC) region and known for developing interconnected malware families. This campaign—which appears to be an evolution of a previous one—was distributed via a malicious domain designed to spoof KuaiBo, a prominent Chinese video streaming platform. The threat actors are primarily focusing their efforts on the Southeast Asian market, specifically targeting users of mobile banking, e-wallets, and financial applications. However, our telemetry identified 19 unique samples in the wild, impacting devices across 5 different countries: Indonesia, Malaysia, United States, Singapore and Saudi Arabia.
Technically classified as an advanced banking Trojan, this new GoldPickaxe iteration features an aggressive suite of post-compromise capabilities. The malware is engineered to harvest lock screen credentials and exfiltrate sensitive SMS logs, contact lists, and critical biometric data. Additionally, it deploys active keylogging to continuously monitor user input. Crucially, the Trojan can inject unauthorized text and simulate user gestures, allowing the threat actors to bypass standard security controls and establish full, remote administrative control over the victim's mobile device.
The infection and distribution vectors for this banking trojan are fake websites that promise free access to KuaiBo, a prominent Chinese video-streaming and media player application. (Fig. 1).
Fig.1: Phishing websites
Modern mobile threats minimize their initial footprint concealing their malicious capabilities to evade antivirus detection. As shown in the execution chain (Fig. 2), this malware is divided into three distinct operational phases.
Fig.2: Malware installation flow
The delivery chain begins when a user manually installs a seemingly innocuous application, known as the Dropper APK. By stripping out heavy malicious functionality from this initial package, threat actors ensure the dropper maintains a low profile, helping it to bypass standard static analysis filters and initial device defenses.
Once active on the device, the dropper application initiates the second stage of the delivery routine. Rather than relying on legacy installation methods that trigger conspicuous system prompts, the dropper utilizes the legitimate Android SessionInstaller API. The installation processes across these modern Android banking trojans share a distinct, unified strategy: abusing the native Session Installation API (Fig. 3) to bypass the stringent sideloading and Accessibility restrictions introduced in recent Android versions.
Fig.3: Ask the user to install the payload app
To ensure the core malicious logic remains hidden from signature-based file scanners, the dropper and payload application employ strict obfuscation tactics. It embeds an encrypted binary file, payload_dex.bin, which remains unreadable on the local disk. Upon execution, the payload application decrypts this file and dynamically loads it into memory. The malware utilizes the AES encryption algorithm, extracting the required Initialization Vector (IV) and cryptographic key from two specific files packaged within the APK: dex_IV.bin and dex_key.bin.
In the realm of modern mobile banking threats, initial access is secondary to operational longevity. Once a device is compromised, the malware's primary objective shifts to evading operating system controls, slipping past endpoint security solutions, and frustrating the efforts of reverse engineers. This continuous evolution has triggered a technological arms race, with threat actors prioritizing sophisticated evasion mechanisms alongside their core financial exfiltration capabilities. Moving away from rudimentary concealment, today's banking trojans deploy a multi-layered approach, orchestrating a combination of code-level obfuscation, integrity manipulation, and environment profiling to guarantee uninterrupted malicious activity.
The core malicious logic within both the dropper and payload applications is contained inside an encrypted packed file. These applications leverage the same execution mechanism (Fig. 4) and utilize identical filenames for the encrypted payload. This structural overlap suggests that both components were compiled using a common packer to shield the underlying malicious DEX payload from static analysis.
Fig.4: Packer used on dropper and payload app
The payload application intentionally omits the android.intent.action.MAIN and android.intent.category.LAUNCHER intent filters from its AndroidManifest file. By deliberately excluding these conventional entry points, the malware ensures it does not register an application icon on the device's home screen. This decision is a deliberate evasion tactic, resulting in the following functional impacts:
To evade static detection mechanisms, the malware developers utilize manifest tampering techniques that trigger parsing failures (Fig. 5) in popular open-source decompilation tools such as JADX and Apktool. By corrupting or malforming the underlying XML structure, as were mentioned on a previous blog, without breaking Android's native runtime compatibility, this tactical obfuscation successfully masks critical exposure indicators, such as requested permissions and background services. Consequently, these disruptions severely hinder targeted static analysis and code verification workflows.
Fig.5: Open source tool crashing
The analyzed sample handles network telemetry obfuscation via a native shared library named libnaLib.so, which is responsible for encrypting all data exchanged with the C2 panel. The communication protocol utilizes AES encryption, featuring a dynamic defense mechanism where the Initialization Vector (IV) is generated on the fly by native methods using the timestamp of each specific request. This prevents traditional signature-based network intrusion detection. However, by employing dynamic binary instrumentation, we were able to hook (Fig. 6) into these native execution routines at runtime. This enabled the live extraction of the ephemeral IVs and cryptographic keys, successfully neutralizing the obfuscation layer and decrypting the network traffic in plain text.
Fig.6: Communication Encryption
The malware possesses the capability to parse remote commands containing a URL from the Command and Control (C2) server. This allows it to fetch and download secondary APK payloads, enabling the threat actor to dynamically deploy additional malicious functionalities, circumvent application-level restrictions or C2 infrastructure disruptions, and ensure long-term persistence on the infected device.
GoldPickaxe possesses the capability to enumerate the applications installed on the target device. Specifically, it extracts the name, packageName, and icon from every application configured with a user interface element on the victim's device, subsequently exfiltrating this data to the C2 server. This intelligence enables threat actors to dynamically tailor their attack vectors, allowing them to intercept multi-factor authentication (MFA) codes, monitor user interactions in real time, and ultimately obtain unauthorized remote control over the victim's device and financial accounts.
Based on our analysis, this specific sample appears to target the Indonesian region, as the embedded target list contains 118 distinct banking applications.
The following table details the full list of technical capabilities found during the analysis of the sample:
| Capabilities | Found |
|---|---|
| Leak SMSs | ✔ |
| Leak Apps installed | ✔ |
| Leak Contacts | ✔ |
| Leak CallLog | ✔ |
| Camera surveillance | ✔ |
| Simulate User gestures | ✔ |
| Download other apps | ✔ |
| Keylogging | ✔ |
| Screen Capture | ✔ |
| Screen Overlay | ✔ |
| Stealing Pin/pattern/password | ✔ |
| Perform clicks | ✔ |
| Leak information about the device | ✔ |
| Steal biometric data | ✔ |
| Streal ID | ✔ |
The malware is capable of stealing the victim's device unlock credentials, including PINs, patterns, and passwords, by displaying a fake lock screen verification interface (Fig. 7) and capturing user input. Below is an example of the layout presented by the malware when the <four_password> command is executed.
Fig.7: Password Fake Layout
To force victims into interacting with this fraudulent interface, the malware executes the <disable_face_true> command, which disables biometric facial recognition on the infected device. This mechanism hijacks the camera and forces a system fallback to PIN or pattern authentication, effectively funneling the user directly into the threat's active phishing overlay components. The complete list of commands can be found in this link.
The malware includes a command named <enhance_display_true>, which allows the sample to leverage Android's Accessibility Services to capture elements displayed on the screen (Fig.8). This harvested data is subsequently transmitted to the C&C server in JSON format.
Fig.8: Screen info sent via websockets
The malware also features the <screen_share_true> command, which abuses the standard Media Projection API (Fig.9) to activate screen sharing. Once executed, this capability grants the malware unrestricted visibility into the victim's UI by capturing the live screen display.
Fig.9: Screen sharing using Media Projection
The malware implements a command named <upload_idcard>, which triggers an activity (Fig. 10) prompting the user to upload their ID to the server. Notably, this activity retains legacy references to an older version of the Goldpickaxe malware, specifically pointing to com.go.control.IdentityVerifyPhotoActivity. Even though the package name has changed in this newer variant, the malware resolves the discrepancy by utilizing an activity-alias within its Android Manifest.
|
<activity-alias |
Fig.10: Fake identity verification screen
The malware features the capability to initiate a dedicated activity (Fig.11) that prompts users to record a video of their face. This captured biometric data is subsequently exfiltrated to the C2 server. This capability poses a critical security risk, as the stolen facial recordings can be leveraged by threat actors to bypass biometric authentication mechanisms, such as electronic Know Your Customer (e-KYC) systems utilized by financial applications.
Fig.11: Fake face recognition layout
Furthermore, specific commands are utilized to deceive the victim regarding the status of the operation. For instance, the command <face_video_judu> is triggered to make the user believe the facial recognition process has failed, while <face_video_accept> simulates a successful verification. Visual evidence of these interface states is documented in Fig 12.
Fig.12: Face Recognition failed/succeed
The malware deploys an assortment of deceptive overlay screens (Fig. 13) tailored to facilitate various attack vectors. These tactics range from rendering solid black screens or fake system update interfaces, used to conceal background malicious processes, to displaying specialized layouts that request biometric information, such as a fingerprint. These biometric interfaces are explicitly engineered to trick the user into providing a fingerprint scan when the malware requires authentication to authorize high-privilege actions on the device.
Fig.13: Overlay Layouts used
In addition to biometric deception, the threat actors deploy spoofed layouts to harvest permissions through social engineering. Specifically, they utilize a fraudulent interface masquerading as an official Indonesian ministry application (Fig. 14) to deceive the target.
The victim is prompted to verify their personal data by clicking a designated confirmation button. Interacting with this element immediately triggers the execution of com.go.Permissions. Consistent with the obfuscation and backwards-compatibility techniques observed in other classes of this sample, this component is registered within the Android Manifest as an activity-alias that stealthily redirects the execution flow to the primary PermissionsActivity:
|
<activity-alias |
Fig.14: Fake Indonesian Ministry layout
The malware also implements a highly configurable command <injection_app> designed to display a spoofed AppDialog view to the victim. The visual elements of this dialog are entirely dynamic and populated using parameters delivered directly from the command payload, including the title, content, and target application name (nameApp).
To maximize the credibility of the deception, the malware extracts the legitimate, high-resolution application icon from a targeted app already installed on the device and converts it into a Bitmap to render inside the fake prompt (Fig 15).
Fig.15: App Dialog that triggers a webView redirection
Once the victim interacts with the fake dialog and clicks the "OK" button, the malware hijacks the execution flow and redirects the user's browser to a malicious website specified dynamically by the C2 server.
As mobile banking threats like GoldPickaxe become increasingly sophisticated, conventional signature-based security layers are no longer sufficient to protect enterprise mobile endpoints. Zimperium provides comprehensive, multi-layered protection designed to disrupt every stage of the GoldPickaxe execution chain.
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
| Tactic | ID | Name | Description |
|---|---|---|---|
| Initial Access | T1660 | Phishing | Threat actors created spoofed websites mimicking the Chinese video-streaming platform KuaiBo to trick users into downloading the malicious Dropper APK. |
| Execution | T1623 | Command and Scripting Interpreter | During Phase 2, the malware abuses the legitimate Android SessionInstaller API to install the secondary payload silently, bypassing accessibility and sideloading restrictions. |
| Persistence | T1624.001 | Event Triggered Execution: Broadcast Receivers | Utilizes system event triggers and background broadcast receivers to ensure the malware automatically initializes or restarts without direct user interaction. |
| Persistence | T1628.001 | Hide Artifacts: Suppress Application Icon | Deliberately omits MAIN and LAUNCHER intent filters in its AndroidManifest file to conceal the app icon from the device's home screen, preventing conventional uninstallation. |
| Defense Evasion | T1406 | Obfuscated Files or Information: Dynamic Code Loading | Code logic is hidden inside an encrypted packed binary (payload_dex.bin) and dynamically loaded into memory at runtime using AES keys extracted from local files. |
| Defense Evasion | T1629 | Impair Defenses | Malforms the XML structure of the manifest to crash static analysis tools (JADX/Apktool). Additionally, executes the <disable_face_true> command to turn off native facial recognition, forcing a fallback to traditional PIN authentication. |
| Defense Evasion | T1655 | Masquerading | Employs "activity-alias" redirects and custom overlay layouts (such as a fake Indonesian Ministry application or fake AppDialog prompts using legitimate system icons) to manipulate visual features and social engineer permissions. |
| Credential Access | T1417.002 | Input Capture: GUI Input Capture | Deploys a fake lock screen interface via the <four_password> command to steal PINs, patterns, or passwords, alongside active keylogging to monitor input. |
| Discovery | T1418 | Software Discovery | Enumerates and extracts the name, package name, and icon of all installed apps on the device, matching them against an embedded target list of 118 Indonesian financial apps. |
| Discovery | T1426 | System Information Discovery | Collects basic device information and profiling data to adapt attack vectors and identify the operating environment. |
| Collection | T1636.004 | Protected User Data: SMS Messages | Intercepts, reads, and exfiltrates sensitive SMS logs and incoming text messages from the infected mobile device. |
| Collection | T1636.002 | Protected User Data: Contacts List | Accesses and exfiltrates the complete list of contacts stored on the victim's device. |
| Collection | T1636.003 | Protected User Data: Call Logs | Harvesters and leaks the full call history logs from the compromised system. |
| Collection | T1453 | Abuse Accessibility Features | Leverages Android Accessibility Services via the <enhance_display_true> command to scrape live screen elements and transmit them to the C2 server in JSON format. |
| Collection | T1513 | Screen Capture | Abuses the native Media Projection API via the <screen_share_true> command to enable live screen sharing, granting threat actors unrestricted visibility into the UI. |
| Collection | T1512 | Video Capture | Hijacks the device's camera to record video of the victim's face under the guise of failed/successful facial verification loops (<face_video_judu> / <face_video_accept>). |
| Command and Control | T1521.001 | Encrypted Channel | Obfuscates network telemetry using a native shared library (libnaLib.so) that encrypts traffic with AES and generates dynamic Initialization Vectors (IVs) based on request timestamps. |
| Command and Control | T1544 | Ingress Tool Transfer | Continually processes incoming remote commands from the C2 server to dynamically alter the trojan's behavior and stream stolen assets. |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Packages and transmits all collected sensitive data (biometrics, ID photos, SMS tokens, credentials) over the established C2 channel to the GoldFactory infrastructure. |
| Impact | T1516 | Input Injection | It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials. |
The list of IOCs captured can be found on the following repository.
While working on this campaign, Promon published a blog that contains a similar analysis on two samples that seem to be related to this campaign. However, the analysis presented here extends in some areas and adds undisclosed IOCs.