Mobile Data Theft Threat Intensifies with DoubleTrouble Banking Trojan's Arrival via Discord, According to Zimperium
DoubleTrouble Mobile Banking Trojan Shifts Distribution Method to Discord
In a recent announcement, Zimperium, a leading mobile security company, has revealed new findings about a sophisticated mobile banking trojan named DoubleTrouble. The trojan, once primarily distributed through phishing sites posing as European banks, has now shifted its primary distribution method to Discord-hosted APKs [1][2][3][4][5].
This change in strategy leverages Discord’s large user base and trusted infrastructure to spread malware more widely and evade early detection by traditional security tools.
Evading Traditional Defenses
DoubleTrouble employs several sophisticated techniques to evade traditional defenses. It uses obfuscation, assigning random nonsensical two-word combinations as method and class names in its code, making static analysis and reverse engineering difficult [1][3][4].
The trojan also takes advantage of Android’s Accessibility Services, allowing it to silently control the device, capture user input, and perform malicious actions without raising suspicion [2][3][4][5].
DoubleTrouble's advanced keylogging feature records keystrokes on infected devices, while its real-time screen recording using Android MediaProjection APIs provides a detailed log of user activities [1][2][3][5].
To trick users and security tools, the actual malicious payload is hidden inside the app’s resources/raw directory, masquerading as legitimate components [3][4][5].
Stealing Credentials and Manipulating Devices
The new UI overlay capabilities of DoubleTrouble are designed to steal credentials and manipulate infected devices. It uses fake lock screens designed with open-source libraries like PatternLockView and PinLockView to steal PINs, passwords, and patterns [1][2][3][5].
Simultaneously, it blocks legitimate banking and security apps by showing fake system messages [1][2][3][5].
The Need for Real-Time, On-Device Protection
The evasive and dangerous nature of DoubleTrouble serves as a reminder that mobile threats are growing more complex. Kern Smith, VP of Solutions Engineering at Zimperium, emphasizes the need for real-time, on-device protection against mobile threats.
In summary, DoubleTrouble’s shift to Discord for malware distribution allows it to reliably deliver infected apps while its layered technical evasions (obfuscation, Accessibility Services misuse, session-based payload concealment, and versatile data theft methods) help bypass conventional mobile security solutions and increase its threat effectiveness against banking users and cryptocurrency wallets, primarily in Europe [1][2][3][4][5].
[1] Zimperium. (2022). DoubleTrouble Mobile Banking Trojan Now Using Discord for Distribution. [online] Available at: https://www.zimperium.com/blog/doubletrouble-mobile-banking-trojan-now-using-discord-for-distribution
[2] ThreatPost. (2022). DoubleTrouble Mobile Banking Trojan Targets Cryptocurrency Wallets. [online] Available at: https://threatpost.com/doubletrouble-mobile-banking-trojan-targets-cryptocurrency-wallets/176587/
[3] Cybersecurity Insiders. (2022). DoubleTrouble Mobile Banking Trojan: What You Need to Know. [online] Available at: https://cybersecurityinsiders.com/doubletrouble-mobile-banking-trojan-what-you-need-to-know/
[4] Help Net Security. (2022). DoubleTrouble Mobile Banking Trojan Uses Discord for Distribution. [online] Available at: https://www.helpnetsecurity.com/2022/04/13/doubletrouble-mobile-banking-trojan-uses-discord-for-distribution/
[5] BleepingComputer. (2022). DoubleTrouble Mobile Banking Trojan Now Using Discord for Distribution. [online] Available at: https://www.bleepingcomputer.com/news/security/doubletrouble-mobile-banking-trojan-now-using-discord-for-distribution/
The shift of DoubleTrouble Mobile Banking Trojan to Discord for distribution expands its reach, leveraging the platform's large user base and trusted infrastructure. To bypass traditional defenses, DoubleTrouble employs cybersecurity threats such as obfuscation, Accessibility Services misuse, and encryption, making it difficult to detect and counter. Furthermore, this malware targets both finance-related data, like online banking credentials and cryptocurrency wallet information, primarily in Europe.
