A sophisticated new banking trojan dubbed DoubleTrouble has emerged as a significant threat to mobile users across Europe, employing advanced evasion techniques and expanding its attack surface through novel distribution channels.
The malware initially spread through phishing websites impersonating well-known European banking institutions, but has recently evolved to leverage bogus websites hosting malicious samples directly within Discord channels.
DoubleTrouble represents a concerning evolution in mobile banking malware, combining traditional overlay attacks with cutting-edge capabilities including comprehensive screen recording, advanced keylogging, and real-time device manipulation.
The trojan’s sophisticated approach involves disguising itself as legitimate Google Play extensions while secretly deploying its malicious payload from the app’s Resources/raw directory.
Once installed, the malware exploits Android’s Accessibility Services to execute fraudulent activities with unprecedented stealth and effectiveness.
.webp)
Security researchers at Zimperium identified this banking trojan during extensive monitoring operations, collecting 25 samples of earlier variants and 9 samples from the current campaign.
The research team’s analysis revealed the malware’s rapid evolution in both distribution methods and technical capabilities, marking it as one of the most sophisticated banking trojans observed in recent months.
The malware’s impact extends beyond traditional credential theft, incorporating features that enable attackers to gain complete control over infected devices.
DoubleTrouble can capture screen content in real-time, monitor every keystroke, block legitimate banking applications, and present convincing fake interfaces designed to harvest sensitive financial information.
.webp)
These capabilities position the malware as a formidable threat capable of bypassing modern security measures and multi-factor authentication systems.
Advanced Screen Recording and Data Exfiltration Mechanism
DoubleTrouble’s most concerning feature lies in its sophisticated screen recording capability, which leverages Android’s MediaProjection and VirtualDisplay APIs to achieve comprehensive visual surveillance.
The malware initiates this process by requesting screen capture permissions through a carefully concealed activity, minimizing the likelihood of user detection.
Once permission is granted, the trojan creates a virtual display that functions as a real-time mirror of the user’s active screen.
.webp)
The technical implementation involves utilizing an ImageReader to capture individual frames from the virtual display, which are subsequently converted to JPEG format and encoded into base64 strings.
This encoded visual data is then encapsulated within JSON objects containing metadata such as screen dimensions and image format specifications.
The complete payload is transmitted to the command and control server, providing attackers with an unobstructed view of all user activities including banking transactions, cryptocurrency operations, and password manager interactions.
DoubleTrouble Complete Command Set:-
| Command | Description |
|---|---|
| home | Wakes the device using a hidden wake lock if the screen is off, or simulates a Home button press via Accessibility if the screen is on |
| click | Clicks on X and Y position on the screen via Accessibility service gesture to simulate touch events |
| swipe_path | Draw a path across specific screen coordinates using accessibility or touch automation |
| start_skeleton | Starts to capture screenshot-like skeleton view of the current UI, renders it to canvas, and sends it as a Base64 image |
| stop_skeleton | Stops sending and sets the flag to false |
| get_screen_locks | Retrieves saved pattern, PIN, and password lock types from shared preferences |
| ping | Pings to establish the communication with c2 |
| html_injection | Retrieves the html injection from server and stores in cache folder |
| clear_injection_cache | Clears the saved injection in app_cache_data |
| get_cached_injections | Collects cached injection data html files stored in shared preferences |
| send_pin | Shows a fake screen to steal pin |
| send_pattern | Shows a fake screen to steal pattern |
| send_password | Shows a fake screen to steal password |
| custom_html | Writes the ‘html’ string from the JSON or ‘No HTML Found!’ if missing into a temp.html file in the cache |
| block_app | Blocks a particular app received from server and shows maintenance screen |
| unblock_app | Unblocks the app |
| push_notification | Posts a notification with title, content, and an intent to open either a URL or app |
| start_graphical | Starts screen capture |
| stop_graphical | Stops screen capture |
| start_anti | Enables a protective flag and scans UI elements for specific text to trigger automated actions |
| stop_anti | Disables a protective flag and stops automated scanning |
| back | Simulates a back button press |
| recent | Simulates a Home button press via the accessibility |
| lock | Simulates pressing the Recents button via accessibility service |
| mute | Mutes the audio in the device |
| open_app | Opens a particular package received from server |
| open_properties | Opens the App Info screen for a specific package in system settings |
| open_play_protect | Opens Google Play Protect’s ‘Verify Apps’ settings screen, and shows a toast if the activity isn’t available |
| get_events | Sends a JSON payload containing the saved ‘beats’ data as an ‘events_list’ command if the data exists |
| enable_black_on | Display a full black screen overlay |
| enable_black_off | Removes the black overlay view |
| enable_update_on | Displays an overlay with fake update with a message ‘Device update started’, ‘Don’t touch’ |
| enable_update_off | Removes the update overlay |
| enable_html_on | Creates an overlay window that covers the entire screen and shows a WebView inside it with the given HTML content |
| enable_html_off | Removed the overlay view |
| get_screen_size | Gets the screen width and height and writes to shared preferences |
This surveillance mechanism operates silently in the background, capturing sensitive information as users interact with legitimate applications.
The malware’s ability to record exactly what users see enables attackers to bypass traditional security measures, intercept one-time passwords, and gain access to highly confidential financial data through visual observation rather than direct application compromise.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches