When malware plays pretend. [Research Saturday] - CyberWire Daily

Summary6 min read

CyberWire Daily Podcast Summary Episode Title: When Malware Plays Pretend. [Research Saturday]
Release Date: August 9, 2025
Host: Dave Bittner
Guests: Selena Larson (Zimperium’s Z Labs Researcher), Nicolas Charaviglio (Chief Scientist, Zimperium’s Z Labs)
Sponsor: N2K Networks

Introduction to Research Saturday

In this episode of CyberWire Daily's Research Saturday, host Dave Bittner engages with cybersecurity experts Selena Larson and Nicolas Charaviglio from Zimperium's Z Labs to delve into the intricacies of a sophisticated mobile banking Trojan named "Double Trouble." The discussion sheds light on the malware's detection evasion techniques, evolution, operational capabilities, and the broader implications for mobile security.

Unveiling the Double Trouble Mobile Banking Trojan

Selena Larson begins by explaining the initial discovery of the Double Trouble Trojan through machine learning-based malware detection systems. Zimperium's team identified approximately 35 distinct samples of the Trojan, each representing different stages of the same campaign. This diversity allowed researchers to trace the malware's evolution over time ([01:25]).

Nicolas Charaviglio introduces the research titled "Behind Random Double Trouble Mobile Banking Trojan Revealed," setting the stage for an in-depth analysis of the threat.

Advanced Evasion Techniques

A significant breakthrough discussed is how Double Trouble distinguishes itself from traditional banking Trojans. Larson details that while traditional Trojans utilize overlay attacks—where malware hijacks the banking app's UI to capture user credentials—the Double Trouble Trojan employs a more covert method:

“Instead of using an overlay that can be detected by runtime analysis, Double Trouble records the screen frame by frame, reconstructing all user interactions without triggering typical detection mechanisms.”
— Selena Larson ([02:35])

This screen recording approach allows the malware to operate "fully under the radar," making it significantly more challenging for security systems to identify and mitigate.

Evolution of Distribution Methods

Charaviglio and Larson discuss the malware's distribution evolution. Initially, Double Trouble leveraged traditional phishing attacks, directing victims to deceptive websites that mimic legitimate banks to trick users into downloading malicious apps. This method, while effective, limited the scope to specific banking institutions.

However, the latest iterations employ a two-stage attack strategy:

Dropper Application: Distributed through various app repositories, including non-banking platforms like Discord, the dropper installs the malware without leaving a detectable APK file on the device.
Dynamic Payload Delivery: Once the dropper secures the necessary permissions, it communicates with command and control (C2) servers to receive tailored payloads targeting specific banks.

“By hosting apps on diverse platforms and utilizing session-based installations, attackers can dynamically generate targets, significantly expanding their reach.”
— Selena Larson ([05:21])

This approach not only broadens the attack surface but also enhances the malware's stealth and adaptability.

Technical Sophistication: Random Two-Word Method Names

One of the most intriguing technical aspects of Double Trouble is its use of random two-word method names for obfuscation:

“They replace class and method names with two random words each, complicating static analysis and signature-based detection.”
— Selena Larson ([08:52])

This obfuscation hampers traditional security measures that rely on recognizing known patterns or signatures, forcing defenders to adopt more advanced detection techniques.

Comprehensive Capabilities of Double Trouble

The malware boasts a wide array of functionalities:

Overlay Attacks: Traditional UI manipulation to capture user input.
Screen Recording: Continuous frame-by-frame capture of the device's screen, encoded and transmitted to C2 servers.
Keylogging: Recording every keystroke to reconstruct credentials.
Device Control: Remote commands to adjust permissions, control the UI, and crash legitimate applications.
Credential Theft: Extracting patterns, PIN codes, and other sensitive information.
Potential Ransomware: Although not yet fully realized, the capability to lock devices and demand ransom is present.

“Double Trouble has the capability of getting the pattern to unlock the device. At the same time, it's a keylogger, so it can record every keystroke on the device.”
— Selena Larson ([12:28])

The malware’s ability to remote control the device and manipulate legitimate applications further underscores its threat level.

Command and Control Infrastructure

While Double Trouble exhibits advanced operational capabilities, details about its C2 infrastructure remain limited:

“We don’t have much information on the actual infrastructure. The research focused more on the dynamic analysis and the malware’s functionalities.”
— Selena Larson ([15:44])

This lack of transparency poses challenges for defenders aiming to disrupt the malware’s communication channels.

Targeting Patterns and Geographic Focus

Initially, Double Trouble targeted European banks exclusively. However, its dynamic nature allows for rapid scaling:

“The targets grew from 300 to 3,000 banks within a few weeks, indicating a fast-evolving ecosystem.”
— Selena Larson ([16:11])

With screen recording capabilities, the malware can seamlessly extend its reach to any banking application globally, posing a widespread threat beyond its original geographic focus.

Recommendations for Organizations

To mitigate the risks posed by Double Trouble and similar threats, Larson advises the following measures:

Disable Third-Party App Sources: Prevent installation of apps from untrusted repositories or sources.
Comprehensive Mobile Threat Detection: Implement advanced detection systems that can identify sophisticated malware behaviors.
Application Vetting in Enterprises: Ensure thorough evaluation of all applications installed within the organization to understand their functionalities and potential threats.

“Disabling third-party sources is critical. Never install apps through unknown sources or third-party app stores.”
— Selena Larson ([17:51])

These strategies are essential in creating a multi-layered defense against evolving mobile threats.

Future Outlook on Mobile Banking Threats

The discussion concludes with insights into the future trajectory of mobile banking threats:

“This is a cat and mouse game. Attackers will continue to adapt, and we will need to evolve our defenses accordingly. The extensive adoption of AI will likely increase the number of targets and the complexity of attacks.”
— Selena Larson ([18:58])

The continuous evolution of malware like Double Trouble necessitates proactive and adaptive security measures to stay ahead of cyber adversaries.

Closing Remarks

Host Dave Bittner wraps up the episode by highlighting the significance of ongoing research and the importance of staying informed about emerging threats. He encourages listeners to engage with the content and participate in community surveys to enhance collective cybersecurity awareness.

Conclusion

This episode of CyberWire Daily's Research Saturday provides a comprehensive examination of the Double Trouble Mobile Banking Trojan, showcasing its advanced evasion techniques, versatile capabilities, and the evolving landscape of mobile cybersecurity threats. Through expert analysis, listeners gain valuable insights into the mechanisms of sophisticated malware and actionable strategies to safeguard their organizations against such pervasive threats.

Notable Quotes:

Selena Larson ([02:35]): “Instead of using an overlay that can be detected by runtime analysis, Double Trouble records the screen frame by frame, reconstructing all user interactions without triggering typical detection mechanisms.”
Selena Larson ([05:21]): “By hosting apps on diverse platforms and utilizing session-based installations, attackers can dynamically generate targets, significantly expanding their reach.”
Selena Larson ([08:52]): “They replace class and method names with two random words each, complicating static analysis and signature-based detection.”
Selena Larson ([12:28]): “Double Trouble has the capability of getting the pattern to unlock the device. At the same time, it's a keylogger, so it can record every keystroke on the device.”
Selena Larson ([15:44]): “We don’t have much information on the actual infrastructure. The research focused more on the dynamic analysis and the malware’s functionalities.”
Selena Larson ([16:11]): “The targets grew from 300 to 3,000 banks within a few weeks, indicating a fast-evolving ecosystem.”
Selena Larson ([17:51]): “Disabling third-party sources is critical. Never install apps through unknown sources or third-party app stores.”
Selena Larson ([18:58]): “This is a cat and mouse game. Attackers will continue to adapt, and we will need to evolve our defenses accordingly. The extensive adoption of AI will likely increase the number of targets and the complexity of attacks.”

Produced By: Liz Stokes
Mixed By: Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

Loading summary

Transcript33 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network.
[00:04]
Nicolas Charaviglio
Powered by N2K, CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them, trust, uptime, outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how. Hello everyone, and welcome to the Cyberwire Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:26]
Selena Larson
We have a pretty big user base at the moment, and we have some malware detection systems that are purely based in machine learning. We are constantly verifying samples that we are detecting in the wild that are very different from things that we've seen before. So as part of that process, we found some samples that got our attention and then we started checking in public sources if we found similar samples.
[01:56]
Nicolas Charaviglio
That's Nicolas Charaviglio. He's chief scientist from Zimperium's Z Labs. The research we're discussing today is titled Behind Random Double Trouble Mobile Banking Trojan Revealed.
[02:17]
Selena Larson
So that's how we found around 35 different samples for this campaign, which are from like different periods in time of the same campaign. So we could see kind of like the evolution of it.
[02:28]
Nicolas Charaviglio
And what is it that made the Double Trouble Banking Trojans stand out compared to others that you've seen before?
[02:36]
Selena Larson
There are a couple of new techniques used by these folks mostly to avoid detection. I'm not sure how familiar you are with how traditional bunker Trojans work, but they do implement all the same capabilities. We can discuss them if you want. Yeah, let's do that. Okay, so. Yeah, let's do that. So recently you had actually an interview with Selena Larson in which you discussed all the info stealers or this family. So banker Trojans are a type of info stealers, but are focusing on financial data in bank data. So the way they usually do it is they abuse accessibility service on a mobile device in order to be able to tamper with the UI while the user is interacting with a banking application. And the most common attack is what is called an overlay attack. So when the banking app is started, the malware takes control over the UI and puts in front of the bank ui, what is called an overlay. So the big team thinks that it's interacting with the regular banking app, but in reality what is happening is that it's interacting with this fake ui. So all the data that is being entered there, like credentials or account information is actually sent to command and control server. This is like the traditional attack. In this case, what they did is they added, for example, screen recording capabilities. The reason why they are doing this is because now a lot of malware detection engines are trying to detect on runtime if there is an application that is, for example, using an overlay. So that is something that can be detected. So that renders the traditional blanking attack a bit ineffective. In this case, what these guys are doing is something different, which is to actually record the screen. So they get frame by frame of what the victim is doing. So by doing that, they can reconstruct everything that happened on the device and steal credentials new way. You would think that this is pretty similar to an overlay attack, but from the internals of how it works is completely different. So this is something that goes fully under the radar. So this is what basically makes the double trouble more effective than traditional bunkers that we've seen out there.
[05:05]
Nicolas Charaviglio
Now, one of the things you highlight in the research is that this has evolved over time. In earlier variants, it was distributed a certain way and that's changed. Can you walk us through the evolution of the distribution methods?
[05:21]
Selena Larson
Yeah, sure. Initially what they were doing were traditional phishing attack. The big team had to go through usually on desktop or on the mobile device, but browsing the web, they had to go through a phishing site that looked very similar to the bank that they were targeting. Basically the user in that social engineering attack was tricked to download an app that was later installed on the device. So that was the like a traditional method, but in that case the targets were more limited. Right. So if you were opening Bank A, then you were downloading that app and you are basically expecting that app to be similar to bank. So now what they're doing is they are just hosting apps in many different places and not necessarily as banking apps. For example, they were distributing apps, even Discord. So any app repository can contain one of these malicious applications. And the good thing about this is that you don't need to be targeting one specific banking app. You can get the payload afterward. This is something that we see quite often because of the way how the OS protection works. If you download an app from Internet, you won't be able on your device, you won't Be able to, for example, to run accessibility service, which is something that is critical for these malware in order to operate properly. But what these guys do is a two stages attack. First you get this app from one of these bogus repositories or it can be any deceptive website. Now, not necessarily targeting a bank, it's what we call a dropper. The dropper has a different application inside that will be installed in a way that is called a session based installation. The way to do that or the benefit of doing that is that the apk, the actual application will never be on disk. So if you are a security vendor that are inspecting that, you won't be detecting that because the app will never be there. Now with this dropper, you can kind of like dynamically generate the target. You can contact a command and control server and say, hey, this device bank A, B and C installed here, so please give me the payloads that I need in order to target these banks.
[07:50]
Nicolas Charaviglio
Why are they making use of Discord specifically? What are the benefits for the attackers there?
[07:55]
Selena Larson
That's a very good question. And sometimes with this research we don't have all the answers. This is one of them, I guess that they are just targeting popular social networks. So we see a lot of malware being distributed through Telegram channels, these Discord channels. So our guess is that they are like infiltrating specific groups, playing still the good part of Internet in which people help each other without asking for a lot. So hey, check this can help you. And then basically getting some malicious payload with one of these purposes.
[08:35]
Nicolas Charaviglio
I see. Well, the research mentions the use of what you call random two word method names throughout the code. Can you tell us what that means? And my understanding is that that complicates traditional static analysis.
[08:52]
Selena Larson
Yes, exactly. So it's basically an obfuscation methodology that they are using in the compiling process of the app. What they do is they get all classes and method names and they change them by two random words that they select for each class and each method. Why that complicates static analysis because usually what security researchers do, they create what we call signature, some heuristic. So if you see this pattern in the code, then it's likely that this is a malicious app. But if that pattern is random and if that pattern keeps changing, then it's very difficult to grade that signature. So that's what they are doing. In this case, it's pretty unusual, but they chose to do this like the fuscation methodologies, replacing classes and method names by two random names each class and each method with a different combination of two words.
[10:03]
Nicolas Charaviglio
We'll be right back.
[10:06]
David Moulton
New adversary tactics and emerging tech to meet these threats is developing all the time. On threatvector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work.
[10:18]
Selena Larson
How do they help that customer know that what they just created is safe? The future is now and our expectations are wrong.
[10:26]
David Moulton
Join me, David Moulton, senior director of thought leadership for Unit 42 at Palo Alto Networks and our guests who live this work every day.
[10:35]
Selena Larson
We're not just talking about some encryption and paying multimillion dollar ransom. We're talking about fundamentally being unable to operate automated eradication and containment. So being able to very rapidly ID what's going on in an environment and contain that immediately. They're hiding in plain sight.
[10:58]
David Moulton
So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to threatvector, your frontline for security insights.
[11:14]
Nicolas Charaviglio
And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threatlocker.
[11:49]
Dave Bittner
On WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast, your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone.
[12:22]
Nicolas Charaviglio
And what is the range of capabilities of double trouble? What sort of things can it do?
[12:29]
Selena Larson
It can do quite a lot actually. We discussed already the traditional overlay attack, so that is fully present here. And on top of that, it can still lock in patterns. So they have the capability of spawning either the pattern or the PIN code or any password that the user uses. So basically to steal how you are unlocking your device. This is interesting because there aren't many reasons to that, but one possibility is that they want to evolve in the future to do something like ransomware. Ransomware on mobile devices is discussed a lot, but we haven't seen any big attack yet. But one way to perform a ransomware attack would be to change the PIN code of our Device. If I lock you out of your device and I just display some message saying, hey, send this amount of crypto to this address. That would be like an analogy to traditional ransomware attacks. And Double Troll has the capability of getting the pattern to unlock the device. At the same time, it's a keylogger, so it can record every keystroke on the device. So from there you can also reconstruct, for example, credentials or any information that you see on the images that I mentioned before. As I mentioned also, we have the screen recording feature, which basically what they do is they're constantly taking pictures frame by frame. Then they are encoding that as base 64. Now we transform images to text and they put that inside of a JSON payload that is being sent to the command and control server with a lot of metadata of the device. So that let the attacker reconstruct everything that happened. Also it has remote control capabilities. So things that are necessary, for example, to grant the application more permissions. So we mentioned that basically this is selected to stage infection. First we have a dropper and then we have the payload. And the dropper needs to have elevated privileges in order to perform other actions. Not elevated privileges, sorry, accessibility, permission to do further actions. So once they have that, they have specific commands to control the device, they can exercise the UI as if they were. They have total control over it. The last thing that they can do also is they can block and crash legitimate applications. So it's also unclear why they do that, because usually if you are performing another layer attack, you want the app to be running and you don't want to see any crash. But what they do is they crash the real application and they display a system error message saying, hey, this app is crashing for X or Y reason. And after that they can spawn a different attack. But it's not completely clear what's the purpose of that stage yet.
[15:36]
Nicolas Charaviglio
And what insights do you have on their command and control functionality and infrastructure.
[15:44]
Selena Larson
So usually don't poke much on the ctu. So I don't have a lot of information. I think in the research also we didn't show much on that. We kind of got through dynamic analysis, all the list of commands that they can do, but we don't have much information on the actual infrastructure.
[16:04]
Nicolas Charaviglio
Yeah, fair enough. Who do they seem to be targeting here? Are there any patterns of who they're going after?
[16:11]
Selena Larson
So the first version of this was targeting specifically European banks. So all European banks. The latest version, as I said, it's quite dynamic, even if today we see only banks Targeted or only European banks targeted. It can happen that the next week that extended a lot. They have screen recording functionalities. So basically they can target any app. If someone in South Africa is opening this and there is suddenly a stream of information from a South African bank, well, they can go and use it, right? Because they just have all the keystrokes and all the images. And it's quite common that we see this evolving. Like for example, a couple of days ago, an RS3 vendor, Clifi, they published a blog about a new bank, controversial, that is called Play Pretors or something like that. And they claim that they found 300 banks targeted. So we did further research for it when we found more samples and we found that the targets grew from 300 to 3,000. Right. So we only found this amount of new targets in just a couple of weeks. So this is a pretty fast evolving ecosystem somehow sometimes. And since they have control on the device or remote control on the device, the payload can be quite dynamic and the number of banks targeted can grow pretty fast.
[17:44]
Nicolas Charaviglio
Well, what are your recommendations then for organizations to best protect themselves? What sort of things do they need to have in place?
[17:51]
Selena Larson
So in this case, disabling third party sources is critical. So most of these applications are always coming through embedded sources. So I would say that that's the critical part of it. Never install apps that are through unknown sources or through third party app stores or things that are not trusted. Second, having a comprehensive mobile threat detection, it can be critical, something that can detect even if the first recommendation is not enforced. And third, in an enterprise environment, having something like application vetting in order to have a comprehensive understanding of what applications that are installed in the user base are doing would be critical too.
[18:47]
Nicolas Charaviglio
Looking at the research that you've done here, what does double trouble tell you in terms of where we might be headed in the future when it comes to these mobile banking threats?
[18:58]
Selena Larson
That's a very good question. And I think that we can guarantee is that this trend will continue. So this is a cat and mouse game. So attackers will adapt and we will have to adapt to new kinds of attacks and we will have to do it in a much more restricted ecosystem every time. So for sure these attacks will grow in complexity. Probably the extensive adoption of AI will also help to increase the number of targets. So now it's pretty simple for attackers to extend the range of their attacks. So pretty much, I would say that's where we are going. Right? Like wider targets and always evolving techniques.
[19:55]
Nicolas Charaviglio
Our thanks to Nicolas Charaviglio from Ximperium for joining us. The research is titled Behind Random Words, Double Trouble Mobile Banking Trojan Revealed. We'll have a link in the Show Notes. And that's Research Saturday, brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the Show Notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
[20:42]
Selena Larson
Sam.