Zimperium has announced new findings from its zLabs team on an evolving mobile banking trojan dubbed DoubleTrouble.

The malware reportedly disguises itself using random two-word method names and has rapidly grown in sophistication – adding screen recording, advanced keylogging and new UI overlay capabilities designed to steal credentials and manipulate infected devices.

DoubleTrouble: Leveraging Discord-hosted APKs

Originally spread through phishing sites posing as European banks, DoubleTrouble is said to leverage Discord-hosted APKs to distribute malware in its latest campaign.

Zimperium has articulated that this shift marks a disturbing trend toward social media platforms being used as delivery channels for mobile malware.

Using obfuscation techniques and Android’s Accessibility Services, DoubleTrouble reportedly bypasses traditional detection methods and silently performs a range of malicious actions, including:

• Stealing lock screen credentials using fake UI overlays
• Recording screen content to capture usernames, passwords and OTPs
• Blocking legit banking and security apps with fake “system maintenance” messages
• Logging every keystroke in real time
• Mimicking trusted apps with tailored HTML overlays to phish sensitive data

“Mobile threats are growing more evasive”

Kern Smith, VP of Solutions Engineering, Zimperium commented: “As attackers shift to mobile-first strategies and use dynamic delivery methods like Discord to evade traditional defences, organisations need real-time, on-device protection.

“DoubleTrouble is a stark reminder that mobile threats are growing more evasive and more dangerous, targeting everything from banking credentials to cryptocurrency wallets.”