- DoubleTrouble malware is now hosted on Discord
- The malware still poses as a European bank, so users beware
- It comes with screen recording, “advanced” keylogging, and new UI overlay capabilities
Infamous Android banking trojan DoubleTrouble is now being distributed through Discord-hosted APKs, researchers have said, warning users of a “disturbing trend” towards social media platforms being used as delivery channels for malware.
DoubleTrouble is a well-known banking trojan, named for its ability to hinder static analysis by assigning “nonsensical two-word combinations” to its methods and class names.
In its early days, the malware was distributed via spoofed websites of European banks, and contained basic functionalities such as overlays to steal banking credentials, the ability to capture lock screen information, and keylogging.
A growing mobile threat
However, new findings from Zimperium’s zLabs security team claim the malware evolved, not just in its infostealing capabilities, but also in how it is being distributed.
The recently observed variants also come with screen recording, “advanced” keylogging, and new UI overlay capabilities designed to steal credentials and manipulate infected devices.
As for delivery, DoubleTrouble still runs bogus websites, but the malware itself is hosted within Discord channels.
Once the app is installed, it deploys the actual malware in the form of an extension, or an add-on. It also uses the Google Play icon to hide in plain sight and appear trustworthy.
The final step is to ask for Accessibility Services permissions, which grants it the ability to steal all the necessary information. This is also the usual red flag for Android-borne malware and should always raise suspicion with users.
“As attackers shift to mobile-first strategies and use dynamic delivery methods like Discord to evade traditional defenses, organizations need real-time, on-device protection,” said Kern Smith, VP of Solutions Engineering at Zimperium.
“DoubleTrouble is a stark reminder that mobile threats are growing more evasive and more dangerous, targeting everything from banking credentials to cryptocurrency wallets.”
As usual, the best way to defend against this type of attacks is to only download apps from official repositories, and to keep the device protected with Play Protect and Android security solutions.