OverlayPhantom: The Stealthy Android Trojan Threatening Global Banking Security
A formidable new Android banking trojan, dubbed OverlayPhantom, has been identified as a significant threat to users across ten countries, compromising banking credentials, financial data, and cryptocurrency accounts. Active since May 2025, this malware employs sophisticated techniques to infiltrate devices and execute unauthorized transactions without user awareness.
Infection Mechanism
OverlayPhantom utilizes a deceptive two-stage infection process. Initially, it presents itself as a legitimate application, such as ID Austria—the official Austrian government identity app—or the popular social media platform TikTok. Unsuspecting users are lured into downloading what appears to be a routine system update. Once installed, the malware masquerades as Google Play Services, effectively concealing its presence and making detection and removal challenging for the average user.
Global Reach and Targeted Applications
Analysts at Cyble Research and Intelligence Labs (CRIL) uncovered OverlayPhantom while investigating government-themed URL impersonation campaigns. The malware targets over 180 banking, financial services, and cryptocurrency applications across the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom. This extensive reach underscores the malware’s potential for widespread financial disruption.
Exploitation of Accessibility Services
A critical aspect of OverlayPhantom’s operation is its abuse of Android’s Accessibility Service—a feature designed to assist users with disabilities. By exploiting this service, the malware gains persistent control over the infected device. Victims are guided through a tutorial embedded in the dropper app to grant these permissions, unknowingly facilitating the malware’s full access.
Once permissions are granted, OverlayPhantom connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122. The C&C communication is structured across three dedicated ports:
– Port 9091: Issuing commands
– Port 9092: Device status updates
– Port 9090: Live screen streaming
This multi-port setup ensures reliable communication and complicates efforts to block the malware’s activities.
Real-Time Device Manipulation
OverlayPhantom leverages Android’s MediaProjection API to stream the victim’s screen in near real-time using JPEG compression. This capability provides attackers with a live view of the device’s activities, enabling them to execute a wide range of commands remotely. These commands include simulating taps, swipes, and long presses; locking the screen; manipulating clipboard contents; displaying fake notifications; and launching overlay windows to capture PIN codes or passwords.
Such comprehensive control allows threat actors to perform unauthorized transactions seamlessly, without the victim’s knowledge.
Comparison with Other Android Banking Trojans
OverlayPhantom’s sophisticated approach places it among the most advanced Android banking trojans identified to date. For context, previous malware such as ToxicPanda and Frogblight have employed overlay attacks and social engineering tactics to steal banking credentials. However, OverlayPhantom’s integration of real-time screen streaming and extensive remote command capabilities represents a significant escalation in the threat landscape.
Mitigation Strategies
To protect against threats like OverlayPhantom, users are advised to:
1. Exercise Caution with Downloads: Only download applications from official and reputable sources, such as the Google Play Store.
2. Verify App Authenticity: Be wary of apps requesting excessive permissions or those that prompt for Accessibility Service access without clear justification.
3. Keep Software Updated: Regularly update your device’s operating system and applications to benefit from the latest security patches.
4. Utilize Security Solutions: Employ reputable mobile security software to detect and prevent malware infections.
5. Stay Informed: Remain vigilant about emerging threats and educate yourself on the latest cybersecurity practices.
Conclusion
OverlayPhantom exemplifies the evolving sophistication of cyber threats targeting mobile banking users. Its ability to exploit legitimate services for malicious purposes highlights the need for continuous vigilance and proactive security measures. By adopting robust cybersecurity practices, users can mitigate the risks posed by such advanced malware.
