A newly discovered Android banking trojan known as OverlayPhantom is raising concerns among cybersecurity researchers after evidence revealed that the malware is actively targeting banking, financial, and cryptocurrency users across multiple Western countries.
The malware campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), demonstrates how modern threat actor groups are combining social engineering, remote device control, phishing overlays, and real-time surveillance capabilities into a single malicious framework.
According to researchers, OverlayPhantom has been active since May 2025 and is currently targeting more than 180 applications across 10 countries, including the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom. The Android banking trojan is being distributed via malicious URLs that impersonate trusted applications, attempting to trick users into installing infected APK files.
OverlayPhantom Uses Trusted Brands to Infect Victims
The initial OverlayPhantom sample was discovered on a malicious domain distributing a fake version of ID Austria, the Austrian government’s official digital identity application. Researchers noted that the use of a government-themed lure increased the effectiveness of the malware campaign because victims are more likely to trust requests tied to identity verification or public services.
A second sample linked to the same threat actor impersonated TikTok and appeared to focus on users in Spain. The shift from a government application to a mainstream social media platform suggested that the operators behind OverlayPhantom are deliberately broadening their infection strategies to target both institutional trust and consumer familiarity.
CRIL researchers stated that the Android banking trojan employs a two-stage infection process. Victims initially download a dropper application that displays what appears to be a legitimate Google Play update screen. The fake update interface is designed to reduce suspicion and persuade users to continue the installation process.
The malware also includes a guided tutorial that instructs victims on how to enable Android Accessibility Service permissions — a critical step that grants the threat actor elevated access to the infected device.
Android Banking Trojan Abuses Accessibility Services
Once installed, OverlayPhantom disguises itself as “Google Play Services,” making the malicious application harder for users to detect or remove. Researchers said the Android banking trojan abuses Android’s Accessibility Service to monitor user activity, intercept inputs, simulate gestures, and maintain persistent device control.
The malware establishes communication with its command-and-control (C&C) infrastructure through the IP address hxxps://199.217[.]99[.]122 using three separate ports dedicated to different tasks:
- Port 9092 handles device status reporting
- Port 9091 is used for command-and-control communication
- Port 9090 supports screen streaming functionality
Researchers found that OverlayPhantom can execute more than 30 remote commands issued by the threat actor. These commands allow attackers to perform taps, swipes, long presses, open recent apps, manipulate clipboard contents, increase or lower volume, lock screens, display fake notifications, and even launch fraudulent overlay windows designed to capture passwords or PINs.
The Android banking trojan also supports commands such as startStreamJpeg and stopStreamJpeg, enabling remote screen streaming sessions.
OverlayPhantom Conducts Advanced Overlay Attacks
One of the most dangerous features of OverlayPhantom is its use of embedded HTML phishing overlays. The malware continuously monitors which applications are running in the foreground and compares them against a hardcoded target list embedded within the APK.
When a targeted banking or cryptocurrency application is opened, the Android banking trojan launches a counterfeit login page through an embedded WebView. Researchers said these phishing interfaces are carefully designed to visually match legitimate financial applications, making them difficult for victims to distinguish from the real apps.
From the user’s perspective, the fake login screen appears authentic. However, any credentials entered into the overlay are immediately harvested and transmitted back to the threat actor’s infrastructure. CRIL researchers noted that OverlayPhantom specifically targets banking, finance, and cryptocurrency platforms, reflecting a financially motivated operation focused on large-scale fraud.
Real-Time Screen Streaming Expands Threat Actor Capabilities
OverlayPhantom also includes a built-in real-time screen streaming mechanism powered by Android’s MediaProjection API. When activated, the malware captures screen activity through a VirtualDisplay instance named “jpeg-stream” and continuously transmits compressed JPEG images back to the C&C server over port 9090.
The captured output is resized to a fixed width of 540 pixels while preserving the original aspect ratio of the victim’s device. Researchers explained that JPEG compression helps reduce bandwidth usage while still giving the threat actor near real-time visibility into user activity.
The malware also contains resilience mechanisms to maintain streaming sessions. If the connection drops or no image frames are available, OverlayPhantom pauses briefly before attempting reconnection. Once retry limits are exceeded, the malware disables the streaming session to avoid endless reconnection loops.
According to researchers, the operator can terminate screen streaming at any moment by issuing the stopStreamJpeg command.
Researchers Warn OverlayPhantom Threat May Expand
Cybersecurity researchers described OverlayPhantom as a “mature and methodically engineered Android banking trojan” due to its combination of phishing overlays, Accessibility Service abuse, multi-port communication infrastructure, and remote device manipulation features.
While many of the individual techniques used by the malware are not entirely new, researchers warned that the coordinated integration of government impersonation, consumer application lures, credential theft overlays, and real-time surveillance capabilities makes this threat actor particularly dangerous.
The report concluded that the operational scale of OverlayPhantom — including its targeting of more than 180 applications across multiple countries — indicates that the Android banking trojan campaign may continue expanding in scope and sophistication in the coming months.
Security experts advised organizations and individuals in affected regions to treat OverlayPhantom as a high-priority threat due to its ability to silently harvest credentials, monitor device activity, and facilitate financial fraud without obvious signs of compromise.
