CyberWire Daily - When malware plays pretend. [Research Saturday]
Episode Date: August 9, 2025Nicolás Chiaraviglio, Chief Scientist from Zimperium's zLabs, joins to discuss their work on "Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed." Zimperium’s zLabs team has been tr...acking an evolving banker trojan dubbed DoubleTrouble, which has grown more sophisticated in both its distribution and capabilities. Initially spread via phishing sites impersonating European banks, it now uses malicious APKs hosted in Discord channels, and boasts features like screen recording, keylogging, UI overlays, and app blocking—all while heavily abusing Android’s Accessibility Services. Despite advanced obfuscation and dynamic evasion techniques, Zimperium’s on-device detection tools have successfully identified both known and previously unseen variants, helping protect users from credential theft, financial fraud, and device compromise. Complete our annual audience survey before August 31. The research can be found here: Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1,
and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every machine.
identity, certificates, secrets, and workloads across all environments, all clouds, and all
AI agents.
Designed for scale, automation, and quantum readiness, CyberArc helps modern enterprises
secure their machine future.
Visit cyberarc.com slash machines to see how.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We have a pretty V-user base at the moment.
and we have some malware detection systems
that are purely based in machine learning.
We are constantly verifying samples
that we are detecting in the wild
that are very different from things
that we've seen before.
So as part of that process,
we found some samples that cut our attention,
and then we started checking in public sources
if we found similar samples.
That's Nicolas Charavilleo.
He's chief scientist from Zimperium's Z-Labs.
The research we're discussing today as titled Behind Random Words, Double Trouble Mobile Banking Trojan, revealed.
So that's how we found around 35 different samples for this campaign.
We shared from different periods in time of the same campaign.
So we could see kind of like the evolution of it.
And what is it that made the double trouble banking Trojans stand out compared to others that you've seen before?
There are a couple of new techniques used by these folks, mostly to avoid detection.
I'm not sure how familiar you are with how traditional banker Trojans work, but they do implement all these, the same capabilities.
We can discuss them if you want.
Yeah, let's do it.
Okay, so yeah, let's do that.
So recently, you had actually an interview with Selena Larsson in which you discussed all the info stealers or this family.
So bankertrotions are a type of info stealers, but are focusing on financial data in bank data.
So the way they usually do it is they have used accessibility service on a mobile device in order to be able to tamper with the UI while the user is interacting with a banking application.
And the most common attack is what is called an overlay attack.
So when the banking app is started, the malware takes control over the UI and puts in front of the bank UI, what is called an overlay.
So the big team thinks that it's interacting with the regular banking app, but in reality what is happening is that it's interacting with this fake UI.
So all the data that is being entered, they are like credentials.
or account information is actually sent to command and control server.
So this is like the traditional attack.
In this case, what they did is they added, for example, screen recording capabilities.
The reason why they are doing this is because now a lot of malware detection engines
are trying to detect on runtime if there is an application that is, for example, using an overlay.
So that is something that can be detected.
So that renders the traditional blanking attack
is a bit ineffective.
So in this case, what these guys are doing is something different,
which is to actually record the screen.
So they get frame by frame of what the victim is doing.
So by doing that, they can reconstruct everything that happens on the device
and steal credentials anyway.
And you think that this is pretty similar to an early attack,
but from the internals of how it works is completely different.
So this is something that goes fully under the radar.
So this is what basically makes the double trouble more effective
than traditional bankers that we've seen out there.
Now, one of the things you highlight in the research is that this has evolved over time.
In earlier variants, it was distributed a certain way, and that's changed.
Can you walk us through the evolution of the distribution methods?
Yeah, sure.
So initially what they were doing were a traditional fishing attack.
So the big team had to go through, usually on desktop or on the mobile device,
but browsing the web, they had to go through a phishing site that looked very similar
to the bank that they were targeting.
And basically, the user in that social engineering attack was tricked to download an app
that was later installed on the device, right?
So that was like a traditional method.
But in that case, the targets were more limited, right?
If you were opening Bank A, then you were downloading that app
and you are basically expecting that app to be similar to Bank A.
So now what they're doing is they are just hosting apps in many different places
and not necessarily as banking apps.
For example, they were distributing apps even Discord.
So any app repository can contain one of these malicious applications.
And the good thing about this is that you don't need to be targeting one specific banking app where you can get the payload afterward.
And this is something that we see quite often.
So because of the way how the OS protection works, if you download an app from Internet, you won't be able to install it on your device.
You won't be able, for example, to run accessibility service, which is something.
that is critical for these malware in order to operate properly.
But what these guys do is like a two stages attack.
So first you get this app from one of these bogus repositories,
or it can be any deceptive website,
now not necessarily targeting a bank,
and it's what we call a dropper.
So the dropper has a different application inside
that will be installed in a way that is called a session-based installation.
And the way to do that,
or the benefit of doing that is that the APK,
the actual application, will never be on disk.
So if you're a security vendor that are inspecting that,
you won't be detecting that because the app will never be there.
And now with this dropper, you can kind of like dynamically
generate the target.
You can contact a command and control server and say,
hey, this device bank A, B, and C installed here.
So please give me the payloads that I need in order to target these banks.
Why are they making use of Discord specifically?
What are the benefits for the attackers there?
That's a very good question.
And sometimes with this research, we don't have all the answers.
This is one of them.
I guess that they are just targeting, like, popular social networks.
So we see a lot of malware being distributed through Telegram channels, Discord channels.
So our guess is that they are, like, infiltrating specific groups.
and playing like, you know, still the good part of the internet
in which people help each other without asking for a lot.
So, hey, check this, you know, can help you.
And then basically getting some malicious payload
with one of these purposes.
I see.
Well, the research mentions the use of what you call
random two-word method names throughout the code.
Can you tell us what that means?
And my understanding is that that,
complicates traditional static analysis?
Yes, exactly.
So it's basically an obfuscation methodology that they are using.
In the compiling process of the app,
what they do is they get all classes and method names,
and they change them by two random words that they select for each class and each method.
Why that complicates static analysis,
Because if you, usually what security researchers do, they create what we're called signature, right?
Some heuristic.
So if you see this pattern in the code, then it's likely that this is a malicious cell.
But if that pattern is random and if that pattern keep changing, then it's kind of like, it's very difficult to create that signature.
So that's what they are doing.
In this case, it's pretty unusual, but they chose to do this, like the fiscation methodologies,
replacing classes and method names by two random names,
each class and each method with a different combination of two words.
We'll be right back.
New adversary tactics and emerging tech to meet these threats is developing all the time.
On threat vector, we keep you a step ahead.
We dig deep into the threats that matter and the strategies that work.
How do they help that customer know that what they just created is safe?
The future is now and our expectations are wrong.
Join me, David Moulton, Senior Director of Thought Leadership for Unit 42 at Palo Alto Networks
and our guests who live this work every day.
We're not just talking about some encryption and paying multimillion dollar ransom.
We're talking about fundamentally being unable to operate.
Automated eradication and containment.
So being able to very rapidly ID what's going on in an environment and contain that immediately.
They're hiding in plain sight.
So if you're looking to sharpen your strategy and stay ahead of what's next,
tune in and listen to Threat Factor, your front line for security insights.
And now a word for.
from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
And what is the range of capabilities of double trouble?
What sort of things can it do?
It can do quite a lot, actually.
So we discussed already like the traditional overlay attack.
So that is fully present here.
And on top of that, it can still lock in pattern.
So they have the capability of spawning either the pattern or the pin code or any password that the user uses.
So we think you steal how you are unlocking your device.
This is interesting because there are many reasons to that.
But one possibility is that they want to evolve in the future to do something like ransomware.
So ransomware on all devices is discussed a lot, but we haven't seen.
seen like any big attack yet.
But one way to perform a ransomware attack
would be to change the pin code of all the device.
So if I lock you out of your device
and I just display some message saying,
hey, send this amount of crypto to this address.
That would be like an analogy to traditional
ransomware attacks.
And that would show it has the capability of getting the pin,
the pattern to unlock the device.
At the same time, it's a key logger.
So it can record.
every key stroke on the device.
So from there, you can also reconstruct,
for example, credentials or any information
that you see on the images that I mentioned before.
As I mentioned, also we have the screen recording feature,
which basically what they do is
are constantly taking pictures frame by frame.
And then they are encoding that as base 64.
So now we transform images to text.
And they put that inside of a JSON payload that
is being sent to the command and control server
with a lot of metadata of the device,
so that let the attacker reconstruct everything that happened.
And also, it has remote control capabilities.
So things that are necessary, for example,
to grant the application more permission.
So we mentioned that basically this is like up to stage infection.
First, we have a dropper, and then we have the payload.
And the dropper needs to have elevated privileges
in order to perform other actions,
not the limited provision, sorry,
accessibility permission to do production.
So once they have that,
they have specific commands to control the device.
They can exercise the UI as if they have total control over it.
And the last thing that they can do also
is they can block and crash legitimate applications.
So it's also unclear why they do that,
Because usually if you're performing an early attack,
you want the app to be running and you don't want to see any crash.
But what they do is they crash the real application
and they display a system error message saying,
hey, this app is crashing for X or Y reason.
And after that, they can spawn a different attack.
But it's not completely clear what's the purpose of that stage yet.
And what insights do you have on their command and control functionality
and infrastructure?
So we usually don't poke much on the CTO
So I don't have a lot of information
I think in the research also we didn't show much on that
We kind of got through dynamic analysis
All the list of commands that they can do
But we don't have much information on the actual infrastructure
Yeah, fair enough
Who do they seem to be targeting here
Are there any patterns of who they're going after?
So the first version
of this
was targeting specifically
European banks
so all the European banks
the latest version
as I said
it's quite dynamic
right so even if
today we see
only banks targeted
or only European banks targeted
it can happen
that the next week
that extended a lot
so they have
screen recording functionalities
so basically they can target
any app right
so if someone in South Africa
is opening this
and there is suddenly
a stream of information from a South African bank,
well, they can go and use it, right?
Because they just have all the, even the keystrokes and all the images.
And it's quite common that we see this evolving.
Like, for example, a couple of days ago,
another skillet vendor, Clify, they published a blog about a new bank intrusion
that is called Play Pretors or something like that.
And they claim that they found 300 banks targeted.
So we did a further research for it when we found more samples, and we found that the targets grew from 300 to 3,000.
So we only found this amount of new targets in just a couple of weeks.
So this is a pretty fast-evolved an ecosystem somehow, sometimes, and since they have control on the device, a remote control on the device, the payload can be quite dynamic, and the number of banks targeted can grow.
pretty fast.
What are your recommendations then
for organizations to best protect
themselves? What sort of things do they need to have
in place? So in
this case,
disabling third-party
sources is critical.
Most of these applications are
always coming through unbetted
sources. So I would say
that that's the critical part of it.
Never install apps that are
through unknown sources or through
third-party app stores or things.
that are not trusted.
Second, having a comprehensive mobile threat detection,
it's kind of critical,
something that can detect even if the first recommendation is not enforced.
And third, in an enterprise environment,
having something like application betting
in order to have a comprehensive understanding
of what applications that are installed,
the user-based are doing, it would be critical to.
Looking at the research that you've done here,
what does double trouble tell you
in terms of where we might be headed in the future
when it comes to these mobile banking threats?
That's a very good question.
And I think that we can guarantee
that this trend will continue.
So this is a cat and mouse game.
So attackers will adapt
and we will have to adapt to new kinds of attacks.
and we will have to do it in a much more restricted ecosystem every time.
So for sure, these attacks will grow in complexity.
Probably the extensive adoption of AI will also help to increase the number of targets.
So now it's pretty simple for attackers to extend the range of their attacks.
So pretty much I would say that's where we are going, right?
like wider targets, and always evolving techniques.
Our thanks to Nicolas Charoviglio from Zimperium for joining us.
The research is titled Behind Random Words, Double Trouble Mobile Banking Trojan, Revealed.
We'll have a link in the show notes.
And that's Research Saturday
Brought to you by N2K CyberWire
We'd love to hear from you
We're conducting our annual audience survey
To learn more about our listeners
We're collecting your insights
Through the end of this summer
There's a link in the show notes
Please do check it out
This episode was produced by Liz Stokes
We're mixed by Elliot Peltzman and Trey Hester
Our executive producer is Jennifer Ibin
Peter Kilpe is our publisher
And I'm Dave Bittner
Thanks for listening
We'll see you back here next time
Thank you.