Threat Research

Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed

CTI
Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed

zLabs tracked a rapidly evolving Android banker trojan, known as DoubleTrouble, that shifted distribution from phishing websites impersonating European banks to Discord-hosted APKs and expanded its capabilities. The malware abuses Android Accessibility Services, hides payloads in Resources/raw, performs screen recording and overlays to steal PINs/patterns/passwords, and exfiltrates captured data to a C2 over an encrypted channel. #DoubleTrouble #Discord

Keypoints

  • zLabs observed a shift in distribution from phishing sites to Discord-hosted APKs and collected 25 samples of the previous variant and 9 samples (droppers and payloads) from the current campaign.
  • The malware uses heavy code obfuscation (nonsensical two-word method/class names and packers like JSONPacker) to hinder static analysis.
  • It abuses Android Accessibility Services via a session-based installation, hiding the malicious payload in Resources/raw and masquerading with a Google Play icon to appear legitimate.
  • New features include comprehensive screen recording (MediaProjection + VirtualDisplay + ImageReader → JPEG → base64 → JSON), UI overlays (fake lock screens using PatternLockView/PinLockView) to steal PINs/patterns/passwords, and advanced keylogging capturing TYPE_VIEW_TEXT_CHANGED events.
  • The malware can block targeted apps by monitoring foreground applications and displaying a deceptive “System Maintenance Notice” overlay to prevent user access to banking/security apps.
  • Extensive C2-driven command set supports dynamic HTML injection, encrypted custom TLS-based C2 channel, input injection (simulated clicks/swipes), file and events exfiltration, and remote device manipulation.

MITRE Techniques

  • [T1660 ] Phishing – Adversaries hosted external phishing sites to download malicious APKs. (‘Adversaries host external phishing sites to download malicious apk’s’)
  • [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware impersonates the Google Play icon and disguises itself as an extension to appear trustworthy. (‘Malware payload is impersonating google play icon as an extension’)
  • [T1516 ] Input Injection – Malware mimics user interaction, performs clicks/gestures, and inputs data to manipulate UI and steal credentials. (‘Malware can mimic user interaction, perform clicks and various gestures, and input data’)
  • [T1406.002 ] Obfuscated Files or Information: Software Packing – Uses obfuscation and packers (JSONPacker) to conceal code and hinder static analysis. (‘It is using obfuscation and packers (JSONPacker) to conceal its code and uses code obfuscation to make static analysis difficult’)
  • [T1414 ] Clipboard Data – Extracts data stored on the clipboard for credential theft. (‘It extracts data stored on the clipboard.’)
  • [T1417.001 ] Input Capture: Keylogging – Implements a keylogger to capture keystrokes and write events to heart_beat.xml. (‘It has a keylogger feature’)
  • [T1417.002 ] Input Capture: GUI Input Capture – Captures shown UI and uses overlays to harvest credentials from displayed screens. (‘It is able to get the shown UI.’)
  • [T1418 ] Software Discovery – Collects installed application package list to identify targets. (‘Malware collects installed application package list’)
  • [T1426 ] System Information Discovery – Gathers basic device information for reconnaissance. (‘The malware collects basic device info.’)
  • [T1513 ] Screen Capture – Records screen content using MediaProjection/VirtualDisplay and exfiltrates frames as encoded images. (‘Malware can record screen content’)
  • [T414 ] Clipboard Data – (Referenced in collection context) capability to steal clipboard contents for data exfiltration. (‘It has the ability to steal data from the clipboard.’)
  • [T1637 ] Dynamic Resolution – Receives injected HTML payload endpoints dynamically from the server for runtime updates. (‘It receives the injected HTML payload endpoint dynamically from the server.’)
  • [T1573 ] Encrypted Channel – Establishes a custom TLS handshake with an embedded client certificate and bespoke RSA-to-AES key exchange to secure C2 communications. (‘The app establishes a secure, encrypted C2 channel by performing a custom TLS handshake using an embedded client certificate and a bespoke RSA-to-AES key exchange.’)
  • [T1646 ] Exfiltration Over C2 Channel – Sends exfiltrated data (screenshots, keystrokes, credentials) to the command and control server. (‘Sending exfiltrated data over C&C server’)

Indicators of Compromise

  • [File names ] Local storage and logging artifacts used by the malware – heart_beat.xml, launched_apps.xml (logs keystrokes and launched apps), and sent_apps.xml.
  • [Cache/temp files ] Temporary/exfiltration staging files and injected HTML – temp.html stored in cache and html injection files in app_cache_data.
  • [File paths ] Hidden payload location within application package – Resources/raw directory used to store the concealed malicious payload and app cache directory for stolen credentials.
  • [Distribution channels ] Delivery vectors observed in the campaign – Discord-hosted APKs and phishing websites impersonating European banks.
  • [Sample artifacts ] Collected samples from the campaign for analysis – 25 samples of the earlier variant and 9 samples (droppers and payloads) from the ongoing campaign.

Read more: https://zimperium.com/blog/behind-random-words-doubletrouble-mobile-banking-trojan-revealed

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint