OverlayPhantom Exposes Vulnerabilities in 180+ Financial Apps Across 10 Countries
A newly identified Android banking trojan, dubbed OverlayPhantom, has emerged as a significant threat, targeting users in the banking, financial, and cryptocurrency sectors across various Western nations. This malware is raising alarms among cybersecurity experts due to its sophisticated methods and extensive reach.
The campaign, revealed by Cyble Research and Intelligence Labs (CRIL), illustrates how contemporary threat actor groups are merging social engineering techniques, remote device control, phishing overlays, and real-time surveillance into a single, potent malicious framework. Since its inception in May 2025, OverlayPhantom has been actively targeting over 180 applications across ten countries, including the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom. The trojan is disseminated through malicious URLs that masquerade as legitimate applications, tricking users into downloading infected APK files.
OverlayPhantom Uses Trusted Brands to Infect Victims
The initial sample of OverlayPhantom was discovered on a domain distributing a counterfeit version of ID Austria, the official digital identity application of the Austrian government. The researchers noted that leveraging a government-themed lure significantly enhanced the malware campaign’s effectiveness, as victims are more inclined to trust requests related to identity verification or public services.
Another sample associated with the same threat actor impersonated TikTok, targeting users in Spain. This strategic shift from a government application to a widely recognized social media platform indicates that the operators behind OverlayPhantom are intentionally broadening their infection tactics to exploit both institutional trust and consumer familiarity.
CRIL researchers have identified that the Android banking trojan employs a two-stage infection process. Initially, victims download a dropper application that presents a seemingly legitimate Google Play update screen. This deceptive interface is designed to minimize suspicion and encourage users to proceed with the installation.
The malware also includes a guided tutorial instructing victims on enabling Android Accessibility Service permissions, a crucial step that grants the threat actor elevated access to the compromised device.
Android Banking Trojan Abuses Accessibility Services
Once installed, OverlayPhantom camouflages itself as “Google Play Services,” making it difficult for users to detect or remove the malicious application. Researchers have indicated that the trojan exploits Android’s Accessibility Service to monitor user activity, intercept inputs, simulate gestures, and maintain persistent control over the device.
The malware establishes communication with its command-and-control (C&C) infrastructure through the IP address hxxps://199.217[.]99[.]122, utilizing three distinct ports for various functions:
- Port 9092: Handles device status reporting
- Port 9091: Used for command-and-control communication
- Port 9090: Supports screen streaming functionality
Researchers have discovered that OverlayPhantom can execute over 30 remote commands issued by the threat actor. These commands enable attackers to perform actions such as taps, swipes, long presses, opening recent apps, manipulating clipboard contents, adjusting volume, locking screens, displaying fake notifications, and launching fraudulent overlay windows designed to capture passwords or PINs.
The trojan also supports commands like startStreamJpeg and stopStreamJpeg, facilitating remote screen streaming sessions.
OverlayPhantom Conducts Advanced Overlay Attacks
One of the most alarming features of OverlayPhantom is its use of embedded HTML phishing overlays. The malware continuously monitors which applications are active in the foreground and compares them against a hardcoded target list embedded within the APK.
When a targeted banking or cryptocurrency application is launched, the trojan activates a counterfeit login page through an embedded WebView. These phishing interfaces are meticulously crafted to visually mimic legitimate financial applications, making it challenging for victims to differentiate them from the authentic apps.
From the user’s perspective, the fake login screen appears genuine. However, any credentials entered into the overlay are immediately captured and sent back to the threat actor’s infrastructure. CRIL researchers have noted that OverlayPhantom specifically targets banking, finance, and cryptocurrency platforms, reflecting a financially motivated operation focused on large-scale fraud.
Real-Time Screen Streaming Expands Threat Actor Capabilities
OverlayPhantom also features a built-in real-time screen streaming mechanism powered by Android’s MediaProjection API. When activated, the malware captures screen activity through a VirtualDisplay instance named “jpeg-stream” and continuously transmits compressed JPEG images back to the C&C server over port 9090.
The captured output is resized to a fixed width of 540 pixels while maintaining the original aspect ratio of the victim’s device. Researchers have explained that JPEG compression reduces bandwidth usage while still providing the threat actor with near real-time visibility into user activity.
The malware incorporates resilience mechanisms to sustain streaming sessions. If the connection drops or no image frames are available, OverlayPhantom pauses momentarily before attempting reconnection. Once retry limits are reached, the malware disables the streaming session to prevent endless reconnection loops. The operator can terminate screen streaming at any time by issuing the stopStreamJpeg command.
Researchers Warn OverlayPhantom Threat May Expand
Cybersecurity researchers have characterized OverlayPhantom as a “mature and methodically engineered Android banking trojan” due to its combination of phishing overlays, Accessibility Service abuse, multi-port communication infrastructure, and remote device manipulation capabilities.
While many of the individual techniques employed by the malware are not entirely novel, researchers caution that the coordinated integration of government impersonation, consumer application lures, credential theft overlays, and real-time surveillance features renders this threat actor particularly perilous.
The operational scale of OverlayPhantom—targeting more than 180 applications across multiple countries—suggests that the Android banking trojan campaign may continue to expand in both scope and sophistication in the coming months. Security experts have advised organizations and individuals in affected regions to regard OverlayPhantom as a high-priority threat due to its capacity to silently harvest credentials, monitor device activity, and facilitate financial fraud without obvious signs of compromise.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
