Zimperium, the world's pioneer in mobile security, announced new findings from its zLabs team on an evolving mobile banking trojan dubbed DoubleTrouble.
The malware, which disguises itself using random two-word method names, has rapidly grown in sophistication—adding screen recording, advanced keylogging, and new UI overlay capabilities designed to steal credentials and manipulate infected devices.
Discord-hosted APKs
Initially spread viaphishing sites posing as European banks, DoubleTrouble now leverages Discord-hosted APKs
Originally spread through phishing sites posing as European banks, DoubleTrouble now leverages Discord-hosted APKs to distribute malware in its latest campaign. This shift marks a disturbing trend toward social media platforms being used as delivery channels for mobile malware.
Using obfuscation techniques and Android’s Accessibility Services, DoubleTrouble bypasses traditional detection methods and silently performs a range of malicious actions, including:
- Stealing lock screen credentials using fake UI overlays
- Recording screen content to capture usernames, passwords, and OTPs
- Blocking legit banking and security apps with fake “system maintenance” messages
- Logging every keystroke in real time
- Mimicking trusted apps with tailored HTML overlays to phish sensitive data
Dynamic delivery methods
“As attackers shift to mobile-first strategies and use dynamic delivery methods like Discord to evade traditional defences, organisations need real-time, on-device protection,” said Kern Smith, VP of Solutions Engineering at Zimperium.
“DoubleTrouble is a stark reminder that mobile threats are growing more evasive and more dangerous, targeting everything from banking credentials to cryptocurrency wallets.”