Executive Summary
Over the past few months, our zLabs team has been actively tracking a sophisticated banker trojan strain that has rapidly evolved in both its distribution methods and capabilities. Initially, this threat was spread through phishing websites impersonating well-known European banks. Early variants of the trojan primarily utilized overlays to steal banking credentials, captured lock screen information, and featured keylogging functionality.
In its latest iteration, the trojan's distribution strategy has shifted, now leveraging bogus websites that host malware samples directly within Discord channels. This evolution in delivery is accompanied by an expansion of the malware's capabilities, which now incorporate advanced features such as screen capture and a variety of new commands. To date, our team has collected 25 samples of the previous variant and 9 samples, encompassing both droppers and payloads, from this ongoing campaign.
Technical Analysis
The malware employs a sophisticated obfuscation technique that hinders static analysis by assigning nonsensical two-word combinations to its methods and class names.
Similar to other modern banker families, this variant relies heavily on abusing Android's Accessibility Services to execute its fraudulent activities. To bypass the usual restrictions placed on accessibility permissions, the malware utilizes a session-based installation method. In this technique, the actual malicious payload is concealed within the app’s Resources/raw directory. To trick the victim into installing it, the malware disguises itself as an extension or add-on, and uses the Google Play icon (Fig.1) to appear trustworthy. Once the app is running, the malware prompts the victim to enable Accessibility Services. After successfully gaining access, it begins executing its malicious actions in the background, including data theft and unauthorized control of the device.
Fig.1: Layouts shown to the user during installation
Commands and Capabilities
In its latest evolution, the malware has integrated several new and advanced features, significantly expanding its capabilities beyond earlier iterations. These enhancements enable more effective data theft, device manipulation, and evasion techniques. The new functionalities include: displaying malicious UI overlays to steal PIN codes or unlock patterns, comprehensive screen recording capabilities, the ability to block the opening of specific applications, and advanced keylogging functionality.
Prompting Victim to enter pin/password/pattern
The malware leverages open source libraries, specifically PatternLockView and PinLockView, to display fake lock screens. This enables the malware to steal pattern, pin or password-based lock screens credentials (Fig. 2). The malware then saves this input locally in SharedPreferences before exfiltrating the captured password to its command and control server.
Fig.2: Fake UI’s created by the malware to steal device lockscreen
Screen Recording Feature
The malicious software employs sophisticated techniques to covertly acquire screen content, primarily leveraging Android’s MediaProjection and VirtualDisplay APIs. This process begins with the malware requesting screen capture permission, often through a meticulously concealed activity to avoid user detection. Once this permission is granted, the malware proceeds to create a virtual display that acts as a real-time mirror of the user's active screen, precisely replicating all visual information as it appears.
To extract the visual data, an ImageReader is utilized to capture individual frames from this virtual display. These raw frames are then converted to JPEG format. Subsequently, the JPEG images are further encoded into base64 format - a common method for transmitting binary data over text-based protocols. The encoded images are then meticulously encapsulated within a JSON object that is enriched with metadata, including the precise screen dimensions and the image format, providing the attacker with comprehensive context regarding the captured visual data.
Upon completion of this packaging, the JSON payload is transmitted to the Command and Control (C2) server. This silent exfiltration of data grants the attacker an unobstructed and real-time view of the user's screen activity. The ramifications of such interception are severe, as it enables the attacker to compromise a wide array of sensitive information including, but is not limited to, typed credentials such as usernames and passwords, one-time passwords (OTPs) used for multi-factor authentication, activity within cryptocurrency wallets, the contents of password managers, and the interfaces of banking applications. The ability to monitor these interactions exactly as the user sees them allows the attacker to bypass many traditional security measures and gain direct access to highly confidential data.
Blocking Banking Applications
The malware actively interferes with user experience by blocking applications based on a dynamic list from its command and control (C2) server. It monitors foreground applications (Fig. 3) and, upon detecting a targeted app, displays a deceptive "System Maintenance Notice" (Fig. 4). This tactic prevents user access, disrupting device usage for malicious purposes like blocking banking or security apps.
While the motive of this is not entirely clear, it appears to serve as a preparation step prior to deploying the overlay attack.
Fig.3: Monitoring the foreground applications
Fig.4: System maintenance overlay shown on top of the application to block
A Highly Sophisticated Keylogger
The malware establishes a keylogger that actively monitors every keystroke and detects window or application changes in real time. Specifically, it listens for TYPE_VIEW_TEXT_CHANGED and TYPE_VIEW_TEXT_SELECTION_CHANGED events, which are triggered whenever the user types or modifies text within input fields.
All captured events are systematically recorded and silently written to a file named heart_beat.xml (Fig. 5) within the app’s SharedPreferences, allowing the malware to persistently log and store user activity. Additionally, two other files are maintained in SharedPreferences: launched_apps.xml, which contains a list of all applications launched by the victim, and sent_apps.xml, which stores a list of all installed applications.
Fig.5: An active keylogger to monitor each keystroke from the victim
Traditional Overlays
In addition to its other functionalities, the malware employs typical fake overlays. These overlays present a fabricated "Account verification" form over legitimate applications, designed to deceive users into divulging sensitive information such as usernames, passwords, and credit card numbers.
Captured credentials are secretly saved in the app's cache directory before being exfiltrated to the attacker's Command and Control (C2) server. The malware leverages Android’s Accessibility Services to detect when a user opens a specific application, subsequently overlaying a fake UI tailored for that app. Fig. 6 shows an example overlay for the Play Store, titled "Account Verification".
Fig.6: Overlay received from the server
Complete Set of Commands
This section provides a comprehensive overview of all the commands that the sophisticated banker malware is capable of receiving and executing from its Command and Control (C2) server. These commands highlight the extensive control the attackers exert over infected devices, enabling a wide range of malicious activities from data exfiltration to device manipulation. Each command detailed below represents a specific functionality designed to facilitate credential theft, bypass security measures, and maintain persistence on the compromised system.
|
Command |
Description |
|
home |
Wakes the device using a hidden wake lock if the screen is off, or simulates a Home button press via Accessibility if the screen is on |
|
click |
Clicks on X and Y position on the screen via Accessibility service gesture to simulate touch events |
|
swipe_path |
Draw a path across specific screen coordinates using accessibility or touch automation. |
|
start_skeleton |
Starts to capture screenshot-like skeleton view of the current UI, renders it to canvas, and sends it as a Base64 image. |
|
stop_skeleton |
Stops sending and sets the flag to false |
|
get_screen_locks |
Retrieves saved pattern, PIN, and password lock types from shared preferences |
|
ping |
Pings to establish the communication with c2 |
|
html_injection |
Retrieves the html injection from server and stores in cache folder |
|
clear_injection_cache |
Clears the saved injection in app_cache_data |
|
get_cached_injections |
Collects cached injection data html files stored in shared preferences |
|
send_pin |
Shows a fake screen to steal pin |
|
send_pattern |
Shows a fake screen to steal pattern |
|
send_password |
Shows a fake screen to steal password |
|
custom_html |
Writes the "html" string from the JSON or "<h1>No HTML Found!</h1>" if missing into a temp.html file in the cache |
|
block_app |
Blocks a particular app received from server and shows maintenance screen |
|
unblock_app |
Unblocks the app |
|
push_notification |
Posts a notification with title, content, and an intent to open either a URL or app |
|
start_graphical |
Starts screen capture |
|
stop_graphical |
Stops screen capture |
|
start_anti |
Enables a protective flag and scans UI elements for specific text to trigger automated actions. |
|
stop_anti |
Disables a protective flag and stops automated scanning |
|
back |
Simulates a back button press |
|
recent |
Simulates a Home button press via the accessibility |
|
lock |
Simulates pressing the Recents button via accessibility service |
|
mute |
Mutes the audio in the device |
|
open_app |
Opens a particular package received from server |
|
open_properties |
Opens the App Info screen for a specific package in system settings |
|
open_play_protect |
Opens Google Play Protect's "Verify Apps" settings screen, and shows a toast if the activity isn't available. |
|
get_events |
Sends a JSON payload containing the saved "beats" data as an "events_list" command if the data exists. |
|
enable_black_on |
Display a full black screen overlay |
|
enable_black_off |
Removes the black overlay view |
|
enable_update_on |
Displays an overlay with fake update with a message "Device update started", "Don't touch" |
|
enable_update_off |
Removes the update overlay |
|
enable_html_on |
Creates an overlay window that covers the entire screen and shows a WebView inside it with the given HTML content |
|
enable_html_off |
Removed the overlay view |
|
get_screen_size |
Gets the screen width and height and writes to shared preferences |
Zimperium vs DoubleTrouble
Zimperium’s Mobile Threat Detection (MTD) and Runtime Application Protection (zDefend) successfully identify both the older and newer variants of DoubleTrouble using our on-device dynamic detection engine. This means that Zimperium customers were protected even when:
● The malware was distributed through novel channels like Discord-hosted APKs
● The payloads used custom obfuscation techniques and repackaging
● Samples had never been seen before in the wild
As this threat actor continues to innovate and push new capabilities, real-time, on-device mobile threat defense becomes critical to protect both individuals and organizations from credential theft, account takeover, and financial fraud.
MITRE ATT&CK Techniques
|
Tactic |
ID |
Name |
Description |
|
Initial Access |
Phishing |
Adversaries host external phishing sites to download malicious apk’s |
|
|
Defense Evasion |
Masquerading: Match Legitimate Name or Location |
Malware payload is impersonating google play icon as an extension |
|
|
Input Injection |
Malware can mimic user interaction, perform clicks and various gestures, and input data |
||
|
Obfuscated Files or Information: Software Packing |
It is using obfuscation and packers (JSONPacker) to conceal its code and uses code obfuscation to make static analysis difficult |
||
|
Credential Access |
Clipboard Data |
It extracts data stored on the clipboard. |
|
|
Input Capture: Keylogging |
It has a keylogger feature |
||
|
Input Capture: GUI Input Capture |
It is able to get the shown UI. |
||
|
Discovery |
Software Discovery |
Malware collects installed application package list |
|
|
System Information Discovery |
The malware collects basic device info. |
||
|
Screen Capture |
Malware can record screen content |
||
|
Collection |
Input Capture: Keylogging |
Malware can capture keystrokes |
|
|
Input Capture: GUI Input Capture |
It is able to get the shown UI. |
||
|
Clipboard Data |
It has the ability to steal data from the clipboard. |
||
|
Command and Control |
Dynamic Resolution |
It receives the injected HTML payload endpoint dynamically from the server. |
|
|
Encrypted Channel |
The app establishes a secure, encrypted C2 channel by performing a custom TLS handshake using an embedded client certificate and a bespoke RSA-to-AES key exchange. This encrypted communication bypasses the system trust store, enabling covert data exchange with the server. |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated data over C&C server |
|
|
Impact |
Input Injection |
It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials. |
Indicators of Compromise
The list of IOCs can be found in this repository.
