It’s not stealing anything because Apple revoked the developer certificate for this app.

It also required the user to “sideload” the app as part of device management enrollment. Not something the average user would be doing.

Tom’s Guide has shit reporting. This was the same site that repeated the bogus DDoS smart toothbrushes story. And they’re at it again with more sensationalism.

From something more reputable:

The use of the victims’ faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

It is essential to clarify that while GoldPickaxe can steal images from iOS and Android phones showing the victim’s face and trick the users into disclosing their face on video through social engineering, the malware does not hijack Face ID data or exploit any vulnerability on the two mobile OSes.

More from bleeping computer:

A new iOS and Android trojan named ‘GoldPickaxe’ employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access.

Now, don’t get me wrong, you should take malware and social engineering attacks seriously. But get your information from sites that do real security journalism.

If you have to con someone into installing an MDM profile, it’s probably just easier to con them into handing over their credit card info.

Also, this is not the first time a Trojan hit iOS. It is rare, but it has happened before. Example: en.wikipedia.org/wiki/XcodeGhost