New DoubleTrouble banking trojan spreads via Discord - so be on your guard

Users display warnings about the use of artificial intelligence (AI), access to malicious software or threats to online hackers. computer cyber security Warning concept or tech scam.
(Image credit: Shutterstock)

  • DoubleTrouble malware is now hosted on Discord
  • The malware still poses as a European bank, so users beware
  • It comes with screen recording, “advanced” keylogging, and new UI overlay capabilities

Infamous Android banking trojan DoubleTrouble is now being distributed through Discord-hosted APKs, researchers have said, warning users of a “disturbing trend” towards social media platforms being used as delivery channels for malware.

DoubleTrouble is a well-known banking trojan, named for its ability to hinder static analysis by assigning “nonsensical two-word combinations” to its methods and class names.

In its early days, the malware was distributed via spoofed websites of European banks, and contained basic functionalities such as overlays to steal banking credentials, the ability to capture lock screen information, and keylogging.

A growing mobile threat

However, new findings from Zimperium’s zLabs security team claim the malware evolved, not just in its infostealing capabilities, but also in how it is being distributed.

The recently observed variants also come with screen recording, “advanced” keylogging, and new UI overlay capabilities designed to steal credentials and manipulate infected devices.

As for delivery, DoubleTrouble still runs bogus websites, but the malware itself is hosted within Discord channels.

Once the app is installed, it deploys the actual malware in the form of an extension, or an add-on. It also uses the Google Play icon to hide in plain sight and appear trustworthy.

The final step is to ask for Accessibility Services permissions, which grants it the ability to steal all the necessary information. This is also the usual red flag for Android-borne malware and should always raise suspicion with users.

“As attackers shift to mobile-first strategies and use dynamic delivery methods like Discord to evade traditional defenses, organizations need real-time, on-device protection,” said Kern Smith, VP of Solutions Engineering at Zimperium.

“DoubleTrouble is a stark reminder that mobile threats are growing more evasive and more dangerous, targeting everything from banking credentials to cryptocurrency wallets.”

As usual, the best way to defend against this type of attacks is to only download apps from official repositories, and to keep the device protected with Play Protect and Android security solutions.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.