CyberWire Daily When malware plays pretend. [Research Saturday]
15 snips
Aug 9, 2025 Nicolás Chiaraviglio, Chief Scientist at Zimperium's zLabs, specializes in malware detection and analysis. He delves into the advanced 'DoubleTrouble' mobile banking trojan, discussing its evolution and modern distribution methods like malicious APKs via Discord. Chiaraviglio highlights its sophisticated features such as screen recording and keylogging while emphasizing Zimperium's effective detection tools against these threats. He also shares strategies for safeguarding against mobile banking risks in an era of evolving cyber challenges.
AI Snips
Chapters
Transcript
Episode notes
Discovery Led By ML Detection
- Zimperium's zLabs used machine-learning telemetry to surface unusual samples and found about 35 variants tied to the same campaign.
- They tracked those samples over time to observe the malware's evolution and behavior changes.
Screen Recording Evades Overlay Detectors
- DoubleTrouble records the screen frame-by-frame to reconstruct user actions and capture credentials.
- This technique avoids overlay-detection mechanisms because it steals visuals rather than hijacking UI elements.
From Phishing Sites To Dynamic Droppers
- Attackers moved from bank-specific phishing pages to hosting malicious APKs on many repositories, widening reach.
- They use session-based droppers that install payloads in-memory so the APK never appears on disk and evades scanners.