Zimperium has announced new findings from its zLabs team on an evolving mobile banking trojan dubbed DoubleTrouble.
The malware, which disguises itself using random two-word method names, has rapidly grown in sophistication—adding screen recording, advanced keylogging, and new UI overlay capabilities designed to steal credentials and manipulate infected devices.
Originally spread through phishing sites posing as European banks, DoubleTrouble now leverages Discord-hosted APKs to distribute malware in its latest campaign. This shift marks a disturbing trend toward social media platforms being used as delivery channels for mobile malware.
Using obfuscation techniques and Android’s Accessibility Services, DoubleTrouble bypasses traditional detection methods and silently performs a range of malicious actions, including:
- Stealing lock screen credentials using fake UI overlays
- Recording screen content to capture usernames, passwords, and OTPs
- Blocking legit banking and security apps with fake “system maintenance” messages
- Logging every keystroke in real time
- Mimicking trusted apps with tailored HTML overlays to phish sensitive data
Dynamic delivery methods
“As attackers shift to mobile-first strategies and use dynamic delivery methods like Discord to evade traditional defenses, organizations need real-time, on-device protection,” said Kern Smith, VP of Solutions Engineering at Zimperium.
“DoubleTrouble is a stark reminder that mobile threats are growing more evasive and more dangerous, targeting everything from banking credentials to cryptocurrency wallets.”
