A sophisticated new Android banking trojan, dubbed “DoubleTrouble,” has rapidly evolved in both its distribution channels and technical capabilities, posing a severe threat to users across Europe.
Originally detected being distributed via phishing websites impersonating reputable European banks, the malware has recently shifted to leveraging bogus domains that drop malicious payloads directly within Discord channels.
The zLabs security research team has collected 25 samples of the previous variant and identified nine new samples both droppers and payloads associated with this ongoing campaign, marking a troubling expansion of both reach and feature set.
Deceptive Social Engineering
Technically, DoubleTrouble employs an advanced obfuscation strategy designed to frustrate static analysis, with method and class names replaced by apparently random two-word combinations.
Its core infection vector is the abuse of Android’s Accessibility Services, an approach heavily favored by modern mobile banking malware.
Unlike unsophisticated droppers, DoubleTrouble utilizes a session-based installation method, where the real malicious payload is concealed in the app’s resources directory.
Adopting the familiar Google Play icon, the app masquerades as a browser extension or add-on, lulling victims into a false sense of trust.
After launch, it aggressively prompts the user to grant Accessibility Service permissions, a pivotal step for executing its full array of malicious actions.
Once operational, DoubleTrouble turns the infected device into a digital surveillance hub. The latest builds integrate a spectrum of potent commands delivered by the attacker’s remote command and control (C2) infrastructure.
The trojan overlays convincing fake UI screens using open-source libraries like PatternLockView and PinLockView to harvest lock screen patterns, PINs, or passwords.
These credentials are temporarily stored in SharedPreferences before exfiltration to the attackers.
A key innovation in DoubleTrouble is its sophisticated screen capture functionality, which capitalizes on Android’s MediaProjection and VirtualDisplay APIs.
After surreptitiously securing user permission, the malware creates a real-time virtual clone of the device’s display, capturing individual frames with ImageReader.
These snapshots are compressed, encoded, packaged with contextual metadata, and then stealthily transmitted to the C2 server.
Such real-time screen scraping can jeopardize user privacy at multiple levels intercepting passwords, OTPs, content from financial apps, password managers, and cryptocurrency wallets.
The malware can also actively hinder device use by monitoring for the launch of targeted applications and displaying an intrusive “System Maintenance Notice” overlay, effectively blocking access.
Security researchers believe this serves as a precursor to subsequent overlay attacks, further demonstrating DoubleTrouble’s sophisticated interception mechanisms.
Keylogging and Traditional Overlay Attacks
According to the report, DoubleTrouble’s keylogger meticulously records every keystroke and tracks window/application changes through Accessibility-generated events.
This information is silently logged to dedicated SharedPreferences files such as heart_beat.xml for keystrokes, and companion files for application tracking.
Alongside new capabilities, DoubleTrouble continues to deploy time-tested data stealing techniques, such as crafting elaborate overlay screens mimicking “Account Verification” forms atop legitimate apps.
These overlays prompt victims to divulge usernames, passwords, and financial details, which are then cached and sent to the attackers’ infrastructure.
The malware boasts an unusually broad set of C2 commands, empowering attackers to control virtually every aspect of the infected device simulating touch events and gestures, capturing UI skeletons, performing HTML injection, blocking or unblocking specific apps, issuing push notifications, opening apps or system settings, muting audio, and even overlaying full black or “update in progress” screens to mask ongoing malicious actions.
The rapid evolution of DoubleTrouble underscores the increasing technical sophistication of banking malware, and its potential for widespread data compromise.
By combining advanced social engineering, abuse of Android APIs, and an extensive C2 command arsenal, DoubleTrouble exemplifies the next generation of mobile banking threats.
Users are strongly encouraged to avoid installing unknown extensions, grant minimal permissions, and maintain up-to-date security tools to mitigate the risk of compromise.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/new-doubletrouble-banking-malware-exploits-users/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV8L89TxGX1ekfIzg_R7lWfV1rN6qImsYcCihCFq87fskdd5SM4j1s_DlvkhsX-B3gr2hUVD0WOvjBZmfUykvZYgDUofaXdOqZKvQdEUZZN7ENdQd29XWxqA952ffp4U8Zjl1IftN3zVpdj6ag8AAK7KfGwg48i2n9jU1qFpT3t9mT3NnqmRjxN7RXeoep/s16000/Untitled%20design%20-%202025-07-31T194922.472.webp?resize=1068,580&ssl=1&description=A sophisticated new Android banking trojan, dubbed "DoubleTrouble," has rapidly evolved in both its distribution channels and technical capabilities.){kind=link}