New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials

New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials

A sophisticated new banking trojan dubbed DoubleTrouble has emerged as a significant threat to mobile users across Europe, employing advanced evasion techniques and expanding its attack surface through novel distribution channels.

The malware initially spread through phishing websites impersonating well-known European banking institutions, but has recently evolved to leverage bogus websites hosting malicious samples directly within Discord channels.

DoubleTrouble represents a concerning evolution in mobile banking malware, combining traditional overlay attacks with cutting-edge capabilities including comprehensive screen recording, advanced keylogging, and real-time device manipulation.

Google News

The trojan’s sophisticated approach involves disguising itself as legitimate Google Play extensions while secretly deploying its malicious payload from the app’s Resources/raw directory.

Once installed, the malware exploits Android’s Accessibility Services to execute fraudulent activities with unprecedented stealth and effectiveness.

New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials
Layouts shown to the user during installation (Source – Zimperium)

Security researchers at Zimperium identified this banking trojan during extensive monitoring operations, collecting 25 samples of earlier variants and 9 samples from the current campaign.

The research team’s analysis revealed the malware’s rapid evolution in both distribution methods and technical capabilities, marking it as one of the most sophisticated banking trojans observed in recent months.

The malware’s impact extends beyond traditional credential theft, incorporating features that enable attackers to gain complete control over infected devices.

DoubleTrouble can capture screen content in real-time, monitor every keystroke, block legitimate banking applications, and present convincing fake interfaces designed to harvest sensitive financial information.

New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials
Fake UI’s created by the malware to steal device lockscreen (Source – Zimperium)

These capabilities position the malware as a formidable threat capable of bypassing modern security measures and multi-factor authentication systems.

Advanced Screen Recording and Data Exfiltration Mechanism

DoubleTrouble’s most concerning feature lies in its sophisticated screen recording capability, which leverages Android’s MediaProjection and VirtualDisplay APIs to achieve comprehensive visual surveillance.

The malware initiates this process by requesting screen capture permissions through a carefully concealed activity, minimizing the likelihood of user detection.

Once permission is granted, the trojan creates a virtual display that functions as a real-time mirror of the user’s active screen.

New Banking Malware DoubleTrouble Attacking Users Via Phishing Sites To Steal Banking Credentials
System maintenance overlay shown on top of the application to block (Source – Zimperium)

The technical implementation involves utilizing an ImageReader to capture individual frames from the virtual display, which are subsequently converted to JPEG format and encoded into base64 strings.

This encoded visual data is then encapsulated within JSON objects containing metadata such as screen dimensions and image format specifications.

The complete payload is transmitted to the command and control server, providing attackers with an unobstructed view of all user activities including banking transactions, cryptocurrency operations, and password manager interactions.

DoubleTrouble Complete Command Set:-

Command Description
home Wakes the device using a hidden wake lock if the screen is off, or simulates a Home button press via Accessibility if the screen is on
click Clicks on X and Y position on the screen via Accessibility service gesture to simulate touch events
swipe_path Draw a path across specific screen coordinates using accessibility or touch automation
start_skeleton Starts to capture screenshot-like skeleton view of the current UI, renders it to canvas, and sends it as a Base64 image
stop_skeleton Stops sending and sets the flag to false
get_screen_locks Retrieves saved pattern, PIN, and password lock types from shared preferences
ping Pings to establish the communication with c2
html_injection Retrieves the html injection from server and stores in cache folder
clear_injection_cache Clears the saved injection in app_cache_data
get_cached_injections Collects cached injection data html files stored in shared preferences
send_pin Shows a fake screen to steal pin
send_pattern Shows a fake screen to steal pattern
send_password Shows a fake screen to steal password
custom_html Writes the ‘html’ string from the JSON or ‘No HTML Found!’ if missing into a temp.html file in the cache
block_app Blocks a particular app received from server and shows maintenance screen
unblock_app Unblocks the app
push_notification Posts a notification with title, content, and an intent to open either a URL or app
start_graphical Starts screen capture
stop_graphical Stops screen capture
start_anti Enables a protective flag and scans UI elements for specific text to trigger automated actions
stop_anti Disables a protective flag and stops automated scanning
back Simulates a back button press
recent Simulates a Home button press via the accessibility
lock Simulates pressing the Recents button via accessibility service
mute Mutes the audio in the device
open_app Opens a particular package received from server
open_properties Opens the App Info screen for a specific package in system settings
open_play_protect Opens Google Play Protect’s ‘Verify Apps’ settings screen, and shows a toast if the activity isn’t available
get_events Sends a JSON payload containing the saved ‘beats’ data as an ‘events_list’ command if the data exists
enable_black_on Display a full black screen overlay
enable_black_off Removes the black overlay view
enable_update_on Displays an overlay with fake update with a message ‘Device update started’, ‘Don’t touch’
enable_update_off Removes the update overlay
enable_html_on Creates an overlay window that covers the entire screen and shows a WebView inside it with the given HTML content
enable_html_off Removed the overlay view
get_screen_size Gets the screen width and height and writes to shared preferences

This surveillance mechanism operates silently in the background, capturing sensitive information as users interact with legitimate applications.

The malware’s ability to record exactly what users see enables attackers to bypass traditional security measures, intercept one-time passwords, and gain access to highly confidential financial data through visual observation rather than direct application compromise.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches


Source link