{"id":2030,"date":"2025-08-01T03:53:32","date_gmt":"2025-08-01T03:53:32","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/01\/android-malware-targets-banking-users-through-discord-channels\/"},"modified":"2025-08-01T03:53:32","modified_gmt":"2025-08-01T03:53:32","slug":"android-malware-targets-banking-users-through-discord-channels","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/01\/android-malware-targets-banking-users-through-discord-channels\/","title":{"rendered":"Android Malware Targets Banking Users Through Discord Channels"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-02c577e0-b959-4b85-b6b7-67c5f758f201\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A sophisticated Android banking Trojan, dubbed \u201cDoubleTrouble,\u201d has recently expanded both its delivery methods and technical capabilities, posing a significant threat to users across Europe.<\/p>\n<p>Initially spread through phishing websites impersonating major banks, the malware now distributes its payload via Discord-hosted APKs, making detection and prevention more difficult.<\/p>\n<p>Researchers at Zimperium have analyzed nine samples from the current campaign and 25 from earlier variants.<\/p>\n<p>In an advisory published on Wednesday, they reported that the latest version of the Trojan offers several new functions designed to steal sensitive data, manipulate device behavior and evade traditional mobile defenses.<\/p>\n<h2><strong>Advanced Features Enable Real-Time Surveillance<\/strong><\/h2>\n<p>Once installed, DoubleTrouble disguises itself as a legitimate app using a Google Play icon and prompts users to enable Android\u2019s accessibility services.\u00a0This access allows the malware to operate stealthily in the background.<\/p>\n<p>A session-based installation method conceals its payload in the app\u2019s resources\/raw directory, thereby helping it evade early detection.<\/p>\n<p>The latest iteration of the malware includes a range of advanced features, including:<\/p>\n<ul>\n<li>\n<p>Real-time screen recording through MediaProjection and VirtualDisplay APIs<\/p>\n<\/li>\n<li>\n<p>Fake lock screen overlays to steal PINs, passwords and unlock patterns<\/p>\n<\/li>\n<li>\n<p>Keylogging via accessibility event monitoring<\/p>\n<\/li>\n<li>\n<p>Blocking of specific applications, especially banking or security tools<\/p>\n<\/li>\n<li>\n<p>Phishing overlays tailored to mimic legitimate app login screens<\/p>\n<\/li>\n<\/ul>\n<p>Captured data is encoded and transmitted to a remote command-and-control (C2) server. Target data includes credentials from banking apps, password managers and crypto wallets.<\/p>\n<p>By mirroring the device screen in real time, attackers can bypass multi-factor authentication and access sensitive content exactly as the user sees it.<\/p>\n<p><em>Read more on Android malware targeting financial apps: ToxicPanda Malware Targets Banking Apps on Android Devices<\/em><\/p>\n<h2><strong>Full Command Set Gives Attackers Deep Control<\/strong><\/h2>\n<p>The Trojan responds to dozens of commands sent from its C2 server, allowing remote operators to simulate taps and swipes, trigger fake UI elements, display black\u00a0or update screens and control system-level settings.<\/p>\n<p>Commands such as send_password, start_graphical and block_app allow attackers to harvest information while actively obstructing the user\u2019s actions.<\/p>\n<p>Zimperium warned that DoubleTrouble\u2019s use of obfuscation, dynamic overlays and real-time visual capture reflects a trend toward more adaptive and persistent mobile threats. Its continuous evolution and novel distribution methods mark it as a serious concern for both individual users and financial institutions.<\/p>\n<\/p><\/div>\n<p>Image\u00a0credit: Marcelo Mollaretti \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated Android banking Trojan, dubbed \u201cDoubleTrouble,\u201d has recently expanded both its delivery methods and technical capabilities, posing a significant threat to users across Europe. Initially spread through phishing websites impersonating major banks, the malware now distributes its payload via Discord-hosted APKs, making detection and prevention more difficult. Researchers at Zimperium have analyzed nine samples<\/p>\n","protected":false},"author":2,"featured_media":2031,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2030-f7295f2a-7bc2-49b5-bd3d-6176487b1e11-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2030"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2030\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2031"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2030"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}