New DoubleTrouble Banking Malware Targets Users Through Phishing Sites to Steal Credentials

Researchers at zLabs have been closely monitoring the DoubleTrouble banking trojan, a rapidly evolving malware strain that has shifted its tactics to exploit unsuspecting users across Europe.

Initially disseminated via phishing websites mimicking reputable banks, the trojan has now adapted to more insidious distribution methods, including bogus sites hosting samples directly in Discord channels.

This pivot not only broadens its reach but also enhances its evasion capabilities, with zLabs collecting 25 samples of prior variants and nine from the current campaign, including droppers and payloads.

The malware’s core strength lies in its abuse of Android’s Accessibility Services, employing session-based installation to bypass permission restrictions.

By concealing its payload in the app’s Resources/raw directory and masquerading as a legitimate extension with the Google Play icon, DoubleTrouble tricks users into granting access, enabling background operations like data theft and device control.

Static analysis is further complicated by obfuscation techniques that assign nonsensical two-word names to methods and classes, making reverse engineering a formidable challenge.

Advanced Capabilities for Credential Theft

The latest iteration of DoubleTrouble introduces a suite of enhanced features that elevate its threat level, focusing on comprehensive data exfiltration and user manipulation.

Leveraging open-source libraries such as PatternLockView and PinLockView, the malware deploys fake lock screens to capture PINs, patterns, or passwords, storing them in SharedPreferences before transmitting to a command-and-control (C2) server.

Its screen recording functionality exploits Android’s MediaProjection and VirtualDisplay APIs to create a mirrored display, capturing frames via ImageReader, converting them to base64-encoded JPEGs within JSON payloads enriched with metadata like screen dimensions.

This allows attackers real-time visibility into sensitive activities, including OTP entry, cryptocurrency wallet interactions, and banking app usage, effectively circumventing multi-factor authentication.

Additionally, DoubleTrouble monitors foreground applications to block targeted ones such as banking or security apps by overlaying deceptive “System Maintenance Notice” screens, potentially priming devices for subsequent overlay attacks.

An advanced keylogger tracks keystrokes through TYPE_VIEW_TEXT_CHANGED and TYPE_VIEW_TEXT_SELECTION_CHANGED events, logging data to files like heart_beat.xml, while maintaining records of launched and installed apps in launched_apps.xml and sent_apps.xml.

Extensive Command Set

DoubleTrouble’s C2-driven command repertoire underscores its versatility, enabling attackers to execute actions like simulating touch gestures (click, swipe_path), managing screen captures (start_graphical, stop_graphical), and injecting HTML overlays (html_injection, custom_html).

Commands such as block_app and unblock_app facilitate app interference, while push_notification delivers deceptive alerts to open URLs or apps.

Protective mechanisms include anti-analysis flags (start_anti, stop_anti) that scan UI elements for threats, and overlays like full black screens (enable_black_on) or fake updates (enable_update_on) to obscure activities.

Traditional overlays persist, presenting phony “Account Verification” forms over apps like the Play Store to harvest credentials, cached locally before exfiltration.

According to the report, Other utilities include device manipulation commands (home, back, recent, lock, mute) and data retrieval (get_screen_locks, get_events, get_screen_size), ensuring persistent control.

This malware’s sophistication poses significant risks to Android users, highlighting the need for vigilance against phishing and unauthorized app permissions.

As threats like DoubleTrouble continue to evolve, security experts urge regular updates and cautious interaction with unsolicited links or Discord-hosted content to mitigate credential theft and financial fraud.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!