A sophisticated Android banking Trojan known as “DoubleTrouble” has been causing havoc across Europe with its advanced delivery methods and technical capabilities. Originally spread through phishing websites posing as major banks, the malware has now evolved to distribute its payload via Discord-hosted APKs, making it harder to detect and prevent.
Researchers at Zimperium have conducted an in-depth analysis of nine samples from the current campaign and 25 from previous variants. In a recent advisory, they revealed that the latest version of DoubleTrouble comes equipped with new functions aimed at stealing sensitive data, manipulating device behavior, and evading traditional mobile defenses.
One of the standout features of the Trojan is its ability to conduct real-time surveillance once installed on a device. By disguising itself as a legitimate app with a Google Play icon, DoubleTrouble prompts users to enable Android’s accessibility services, allowing it to operate stealthily in the background. The malware also uses a session-based installation method to hide its payload in the app’s resources/raw directory, making early detection challenging.
The latest iteration of DoubleTrouble boasts several advanced features, including real-time screen recording through MediaProjection and VirtualDisplay APIs, fake lock screen overlays to steal PINs and passwords, keylogging via accessibility event monitoring, blocking of specific applications, and phishing overlays designed to mimic legitimate app login screens. Captured data is encrypted and sent to a remote command-and-control server, with a focus on harvesting credentials from banking apps, password managers, and crypto wallets.
Furthermore, the Trojan responds to a wide range of commands sent from its C2 server, giving attackers deep control over the infected device. These commands allow remote operators to simulate taps and swipes, trigger fake UI elements, display black or update screens, and manipulate system-level settings. Zimperium highlighted that DoubleTrouble’s use of obfuscation, dynamic overlays, and real-time visual capture signifies a shift towards more adaptive and persistent mobile threats. Its continuous evolution and innovative distribution methods make it a significant threat to both individual users and financial institutions.
In conclusion, DoubleTrouble poses a serious risk to Android users, especially those in Europe, due to its sophisticated features and stealthy distribution methods. It is crucial for individuals and organizations to stay vigilant and employ robust security measures to protect against such advanced malware attacks.
Image credit: Marcelo Mollaretti / Shutterstock.com