A sophisticated Android banking Trojan, dubbed “DoubleTrouble,” has recently expanded both its delivery methods and technical capabilities, posing a significant threat to users across Europe.
Initially spread through phishing websites impersonating major banks, the malware now distributes its payload via Discord-hosted APKs, making detection and prevention more difficult.
Researchers at Zimperium have analyzed nine samples from the current campaign and 25 from earlier variants.
In an advisory published on Wednesday, they reported that the latest version of the Trojan offers several new functions designed to steal sensitive data, manipulate device behavior and evade traditional mobile defenses.
Advanced Features Enable Real-Time Surveillance
Once installed, DoubleTrouble disguises itself as a legitimate app using a Google Play icon and prompts users to enable Android’s accessibility services. This access allows the malware to operate stealthily in the background.
A session-based installation method conceals its payload in the app’s resources/raw directory, thereby helping it evade early detection.
The latest iteration of the malware includes a range of advanced features, including:
-
Real-time screen recording through MediaProjection and VirtualDisplay APIs
-
Fake lock screen overlays to steal PINs, passwords and unlock patterns
-
Keylogging via accessibility event monitoring
-
Blocking of specific applications, especially banking or security tools
-
Phishing overlays tailored to mimic legitimate app login screens
Captured data is encoded and transmitted to a remote command-and-control (C2) server. Target data includes credentials from banking apps, password managers and crypto wallets.
By mirroring the device screen in real time, attackers can bypass multi-factor authentication and access sensitive content exactly as the user sees it.
Read more on Android malware targeting financial apps: ToxicPanda Malware Targets Banking Apps on Android Devices
Full Command Set Gives Attackers Deep Control
The Trojan responds to dozens of commands sent from its C2 server, allowing remote operators to simulate taps and swipes, trigger fake UI elements, display black or update screens and control system-level settings.
Commands such as send_password, start_graphical and block_app allow attackers to harvest information while actively obstructing the user’s actions.
Zimperium warned that DoubleTrouble’s use of obfuscation, dynamic overlays and real-time visual capture reflects a trend toward more adaptive and persistent mobile threats. Its continuous evolution and novel distribution methods mark it as a serious concern for both individual users and financial institutions.
Image credit: Marcelo Mollaretti / Shutterstock.com
