New DoubleTrouble Banking Malware Targets Users Through Phishing Sites to Steal Credentials

Researchers at zLabs have been closely monitoring the DoubleTrouble banking trojan, a rapidly evolving malware strain that has shifted its tactics to exploit unsuspecting users across Europe.

Initially disseminated via phishing websites mimicking reputable banks, the trojan has now adapted to more insidious distribution methods, including bogus sites hosting samples directly in Discord channels.

This pivot not only broadens its reach but also enhances its evasion capabilities, with zLabs collecting 25 samples of prior variants and nine from the current campaign, including droppers and payloads.

The malware’s core strength lies in its abuse of Android’s Accessibility Services, employing session-based installation to bypass permission restrictions.

By concealing its payload in the app’s Resources/raw directory and masquerading as a legitimate extension with the Google Play icon, DoubleTrouble tricks users into granting access, enabling background operations like data theft and device control.

Static analysis is further complicated by obfuscation ...