Recently, facial recognition technologies have become an increasingly popular tool for secure authentication, one praised for its convenience. When technology giants such as Apple popularized their Face ID technology for face authentication, which, in general, couldn't be fooled by static photographs and encrypts users’ facial data, security concerns naturally dwindled to the point where even banks and the wider financial sector now use facial recognition systems as a form of authorization.
However, this “good news” about technological progress may also create a false picture of biometric recognition as the ultimate tool for secure authentication. No more passwords, no more scams, no one can steal a 3D image of your natural face, right?
Neither time nor cybersecurity practice stands still, so if you think that facial authentication alone will prevent you from being scammed or your device from being breached, read further to understand the limits to the security it can provide. In the latest ESET Threat Report H1 2024, ESET researchers describe how adversaries use fake mobile apps to replace their own faces with those of their victims using AI face-swapping services. This method can be used by cybercriminals to gain unauthorized access to victims’ accounts.
The strongest protection lies in using combinations of security approaches — for example, leveraging facial authentication with multilayered cybersecurity technologies, including multifactor authentication (MFA) built with prevention in mind to avoid attacks before they can do any harm. ESET covers both consumers and business users with mobile device protection that combines AI, human expertise, and a prevention-first approach.
Preferred security authentication
Biometrics have gained popularity among both consumers and businesses, largely around ease of use. In 2023, biometrics such as fingerprint or face scan were the most preferred security authentication methods to access users’ online accounts, apps, and smart devices. Biometric authentication was used by 27 percent of respondents among consumers in various countries.
Another 2023 survey found that nearly 60 percent of respondents among IT and cybersecurity leaders in the United States mentioned biometrics when asked what they were replacing or expecting to replace workplace passwords with.
Facial recognition, also a part of the biometrics market, reflects public demand for this new technology. In 2022, the market was estimated at roughly $5 billion and is expected to grow, reaching $19.3 billion by 2032.
Since Apple’s camera- and laser-based 3D face mapping was introduced in 2017, big market players such as Samsung have also been considering new technologies such as Metalenz's tools that can read polarized photons and create an image of a specific face or even record a brief video skin signature.
New attack vector
Nowadays, certain financial apps require that users record a brief video of their face from various angles using the front camera of their mobile device as a form of secure authentication. However, what was intended as an extra layer of security to prevent identity theft and fraudulent activities recently became another attack vector for cybercriminals.
Group-IB’s Threat Intelligence unit discovered a previously unknown iOS Trojan GoldPickaxe.iOS, an imitation of legitimate Thai government applications such as Digital Pension for Thailand. These malicious apps collect identity documents, SMS, and facial recognition data. Likely to ensure the greatest catch of personal data, some member of the GoldPickaxe malware family is available for both iOS and Android platforms. Group-IB attributed the campaign to a Chinese-speaking cybercrime group called GoldFactory.
This malware family is also detected by ESET security solutions.
The GoldPickaxe Android version is distributed via websites posing as the official Google Play store. To distribute the iOS version, the threat actors use a multistage social engineering scheme to persuade victims to install a mobile device management (MDM) profile, which allows attackers to gain complete control over the victim’s iOS device.
For example, attackers pretended to be officials from the Thai Ministry of Finance approaching citizens claiming that the targeted users’ elderly relatives were eligible for additional pension benefits. The victims were then persuaded to click on links to the criminals’ websites to download an MDM profile.
In this way, attackers can access victims' facial recognition data without cracking Apple’s privacy protection measures such as the Secure Enclave, a hardware-based secure environment designed to keep sensitive user data.
Creating deep fake videos
Once installed, GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application. The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services.
But that’s not all, since the fake video would not be enough by itself to fool a bank’s security and authentication systems. The malware also requests the victim’s ID documents, intercepts SMS, and redirects traffic through the proxy server.
GoldPickaxe does not directly perform unauthorized transactions from the victim’s phone. Instead, it collects all the necessary information from the victim to autonomously access the victim’s banking application.
Group-IB researchers hypothesize that the cybercriminals use their own devices to log in to bank accounts, a tactic that was also confirmed by the Thai police.
The importance of prevention
Considering the use of call centers, advanced malware, and AI for deepfake video production, it’s clear that these cybercriminals put some effort into their attacks. This, however, doesn’t mean that such threats cannot be stopped, especially with good prevention.
Let’s start with basic awareness principles:
- Always try to verify claims about eligibility for prizes, discounts, or, as in the case of GoldPickaxe, pension bonuses. If it seems too good to be true, it probably is.
- Pay attention to websites distributing mobile apps and use only official app stores.
- Don’t be fooled by phishing websites. Learn to recognize phishing here.
- Suspicious activity on your smartphone? Run a security scan with a reputable security app.
- After discovering a malicious app, delete it and restart your phone. Resetting your Android device to factory settings may be necessary.
However, no one is 100% immune to phishing, and even IT specialists may fall for scams. To keep your mobile device safe, you also need reliable cybersecurity protection.
ESET Mobile Security (EMS) takes a proactive approach and can detect and block threats during the download process, even before installation occurs. EMS scans all files in download folders and can also be used to scan already existing ones. ESET Mobile Security Premium offers even more protection with Anti-Phishing, Anti-Theft, Payment Protection, and App Lock.
And remember, having one advanced authentication method, no matter how secure (even within iOS, which is a closed system with built-in security features) is no guarantee of safety. Cybercriminals are creative, and it’s important to have multilayered security in cases where some layers of defenses may be evaded.
Protecting businesses
So far, GoldPickaxe has only been targeting consumers. However, similar threats abusing facial recognition technology together with face-swapping AI could potentially be used to target financial departments of companies or business managers.
There have already been attacks involving deepfake videos of C-level executives that have led to huge financial losses. A 2023 study conducted by BlackCloak and Ponemon Institute shows that senior-level corporate executives are increasingly being targeted by sophisticated cyberattacks, including online impersonation.
Even with thorough cyber-awareness training, there is still a good chance that employees will fall victim to sophisticated attacks exposing their corporate mobile devices, paving the way for further attacks against their company. To learn more about the topic of businesses' attack surface vectoring from employee mobile devices, check this blog.
Being aware of this, ESET has introduced a new Mobile Threat Defense module to its comprehensive business solution ESET PROTECT, with great pricing available for the Advanced tier and higher. Users of ESET PROTECT Advanced and higher can enjoy one free mobile device seat per one paid seat for other devices.
A single tool is not enough
Creating fake videos using AI for scams sounds scary (and there already are thriller movies utilizing this idea), but ESET research clearly shows that even these elaborate attacks can be avoided or stopped via appropriate cybersecurity solutions.
Let this case be a reminder that no technology is the ultimate answer for everything, and reliable cybersecurity consists of a multilayered defense combined with a prevention-first approach.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on Facebook, YouTube and Twitter.