Overview

• The Trojan’s distribution has shifted from phishing websites to Discord-hosted APKs, enabling dynamic payload delivery through social media channels.
• New features include real-time screen recording via MediaProjection APIs, fake lock screen overlays and advanced accessibility-based keylogging to capture sensitive input.
• DoubleTrouble disguises itself with a Google Play icon and prompts users to enable Android’s accessibility services to evade detection and run stealthily in the background.
• Attackers leverage a flexible command-and-control network to simulate taps and swipes, block apps, push phishing overlays and control system settings for targeted credential theft.
• Active campaigns target European banking, password management and cryptocurrency wallet credentials, underscoring gaps in mobile security and the need for on-device protection and official app sourcing.