Skip to content

GoldPickaxe Returns When Your Biometric Information Is as Im...#2492

Open
carlospolop wants to merge 1 commit into
masterfrom
update_GoldPickaxe_Returns_When_Your_Biometric_Informat_f028b0bccbdfa461
Open

GoldPickaxe Returns When Your Biometric Information Is as Im...#2492
carlospolop wants to merge 1 commit into
masterfrom
update_GoldPickaxe_Returns_When_Your_Biometric_Informat_f028b0bccbdfa461

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Overview and impact

Zimperium zLabs analyzed a new Android variant of GoldPickaxe, an advanced mobile banking Trojan attributed to GoldFactory, a cybercrime group active in the APAC region. The campaign is distributed through phishing infrastructure spoofing KuaiBo, a Chinese video streaming/media player platform, and tricks users into manually installing a malicious Android application. Zimperium telemetry identified 19 unique samples across Indonesia, Ma...

🔧 Technical Details

Low-footprint Android dropper chain: A mobile Trojan can reduce initial detection by shipping a minimal Dropper APK and keeping the full malicious feature set out of the first installed package. After execution, the dropper installs a secondary payload through Android's legitimate SessionInstaller API, blending into normal package installation flows and helping bypass modern sideloading and Accessibility-related restrictions.

Encrypted dynamic DEX loading: Malicious Android logic can be stored as an encrypted file such as payload_dex.bin and only decrypted at runtime. In this case, the malware uses AES and retrieves cryptographic material from APK-packaged files named dex_IV.bin and dex_key.bin. The decrypted DEX is dynamically loaded into memory, preventing static scanners from inspecting the real code unless they reproduce the decryption and class-loading path.

Packer reuse across dropper and payload: When both...

🤖 Agent Actions

Done — I updated:

  • src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md

Added concise, non-duplicative coverage for:

  • launcher entry suppression (MAIN / LAUNCHER omission)
  • malformed manifest anti-analysis against jadx / apktool
  • activity-alias deception / legacy component indirection
  • AES-encrypted staged DEX blobs like payload_dex.bin with separate dex_IV.bin / dex_key.bin
  • native C2 crypto with per-request IVs
  • installed-app profiling + icon reuse for targeted phishing

Also updated the file’s ## References section with the GoldPickaxe sources.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://zimperium.com/blog/goldpickaxe-returns-when-your-biometric-information-is-as-important-as-your-money

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting / Basic Forensic Methodology -> Android Malware Post-Exploitation; possibly update pages on Accessibility Services Abuse, Android anti-analysis/anti-instrumentation, dynamic DEX loading, overlay phishing, and Media Projection abuse".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant