A dangerous new Android banking trojan called OverlayPhantom has been quietly targeting users across ten countries, placing banking credentials, financial data, and cryptocurrency accounts at serious risk.
The malware has been active since May 2025 and spreads through malicious links disguised as downloads from trusted, well-known applications.
What makes OverlayPhantom particularly alarming is how it gets onto a device. It uses a two-stage infection process, starting with a dropper app that pretends to be either ID Austria, the official Austrian government identity application, or the popular platform TikTok.
Victims are tricked into installing what appears to be a routine system update, and from that point, the malware takes hold.
Analysts at Cyble Research and Intelligence Labs (CRIL) uncovered OverlayPhantom while investigating government-themed URL impersonation campaigns.
Cyble said in a report shared with Cyber Security News (CSN) that the malware targets more than 180 banking, financial services, and cryptocurrency applications across the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom.
Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it nearly impossible for an average user to spot or remove.
From that position, it abuses Android’s Accessibility Service, a built-in feature designed to help users with disabilities, to take persistent control of the infected device.
The threat actor can then issue over 30 remote commands to manipulate the device without the victim ever noticing.
The breadth of its reach, paired with the technical sophistication behind its design, points to a financially motivated group running a large-scale fraud operation.
With over 180 targeted apps and victims spread across Western markets, OverlayPhantom is far from a small campaign.
Android Banking Trojan OverlayPhantom
The Accessibility Service abuse is what gives OverlayPhantom its real power over infected devices. Once the victim grants this permission, guided through a tutorial embedded in the dropper app, the malware connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122.
The C&C traffic is divided across three dedicated ports: port 9091 for issuing commands, port 9092 for device status updates, and port 9090 for live screen streaming.
This multi-port setup keeps communication running reliably and harder to block. The malware uses Android’s MediaProjection API to stream the victim’s screen in near real time using JPEG compression, giving the attacker a live view of everything on the device.
The remote command set covers a wide range of actions. The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords.
These controls let the threat actor perform unauthorized transactions without the victim ever knowing.
Overlay Attacks Targeting Banking and Cryptocurrency Apps
OverlayPhantom keeps a hardcoded list of target applications embedded in its code. When the victim opens a banking or financial app, the malware silently checks whether that app is on its list.
If there is a match, it pulls up a counterfeit HTML phishing page, renders it in a WebView layer, and places it over the legitimate application. The fake screen looks identical to the real one.
The victim enters credentials believing they are logging into their actual bank or crypto wallet. That data is instantly harvested and sent to the C&C server without leaving any visible sign of compromise.
This overlay technique is exactly what makes OverlayPhantom so effective and difficult for victims to detect.
To stay protected, users should only download apps from official platforms like the Google Play Store and avoid clicking links received through SMS, email, or social media.
Granting Accessibility Service permissions to any unfamiliar app should be avoided at all costs. Enabling multi-factor authentication on banking and financial apps adds a critical extra layer of defense, even when credentials are stolen.
Keeping Android OS and installed apps regularly updated is equally important, as security patches often close the exact vulnerabilities that malware like OverlayPhantom exploits.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps://bitlrewards-app[.]com/api/download/IDAustria | Distribution URL used to spread OverlayPhantom |
| IP | 199.217[.]99[.]122 | C&C server IP address |
| File Hash (SHA-256) | 9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775f | OverlayPhantom malware sample hash |
| File Hash (SHA-256) | 8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb8d | OverlayPhantom malware sample hash |
| File Hash (SHA-256) | dc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a | OverlayPhantom malware sample hash |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
