A powerful Android banking Trojan known as DoubleTrouble has recently evolved, expanding both its attack surface and technical capabilities. This threat now affects banking users across Europe with greater reach and stealth.

Originally distributed through phishing websites mimicking major financial institutions, the malware has shifted to a more elusive delivery method: APK files hosted on Discord channels. This change complicates detection by traditional mobile security tools.

New Features, Same Objective: Steal and Control

According to cybersecurity firm Zimperium, researchers have analyzed multiple versions of DoubleTrouble, including nine from the latest campaign. Their analysis shows that this malware has become more versatile and evasive, focusing on stealing sensitive data, hijacking user behavior, and avoiding detection.

Once on a device, DoubleTrouble masquerades as a legitimate app, often using a Google Play icon to appear trustworthy. It prompts users to activate Android Accessibility Services, granting it extensive control.

By hiding its malicious payload within the app’s internal directories, DoubleTrouble avoids triggering early alarms during installation. This stealthy approach allows the malware to quietly gain control in the background.

Key capabilities now include:

• Live screen recording using MediaProjection and VirtualDisplay APIs
• Fake lock screens to capture PINs, patterns, and passwords
• Keylogging through accessibility event tracking
• Blocking apps, especially banking and security tools
• Phishing overlays that closely mimic real app login screens

All collected information is encoded and transmitted to a remote command-and-control (C2) server, including credentials from banking apps, password managers, and crypto wallets. With real-time screen mirroring, attackers can bypass multi-factor authentication (MFA) and access sensitive content just as the user sees it.

Remote Commands Grant Full Control

The malware can execute a wide array of commands sent from its C2 server, giving attackers deep, persistent control over infected devices. These commands simulate taps and gestures, display false screens, and even manipulate system settings.

Notable commands include:

• send_password – to exfiltrate login data
• start_graphical – to enable visual monitoring
• block_app – to restrict access to targeted apps

Zimperium warns that DoubleTrouble represents a new level of mobile threat sophistication, combining code obfuscation, dynamic overlays, and live screen capture to stay hidden and effective.

With its ongoing evolution and distribution through trusted platforms like Discord, DoubleTrouble underscores the urgent need for stronger mobile security practices, especially for organizations and individuals handling financial data.

Source: https://www.infosecurity-magazine.com/news/android-malware-targets-banks-via