Introduction
In a troubling development for online security, a cybersecurity firm named Cyble has discovered a sophisticated Android banking trojan called OverlayPhantom, which has launched attacks on over 180 apps related to banking, finance, and cryptocurrency in ten different nations.
Targeted Countries
This malware targets users in countries such as:
- The United States
- The United Kingdom
- Australia
- Germany
- France
- Belgium
- Finland
- The Netherlands
- Italy
- Spain
Method of Attack
The method of attack begins with a deceptive dropper application that masquerades as either the official Austrian government ID app or TikTok. Once a user installs this malicious software, OverlayPhantom veils itself as Google Play Services and obtains heightened privileges via Android’s Accessibility Service to effectively control the compromised device.
Capabilities of OverlayPhantom
Adding to its capabilities, the malware is programmed to execute more than 30 commands from a remote operator. It has alarming tools such as:
- Real-time screen streaming
- Imitation overlays that appear as genuine app interfaces
- The ability to siphon sensitive data like passwords, usernames, crypto wallet phrases, and other critical user information through a command-and-control infrastructure
Deceptive Techniques
When OverlayPhantom detects that a victim is using an app from its predetermined list of targets, it launches a fake overlay designed to deceive the user into entering confidential information. The malware also boasts features that allow it to:
- Simulate user gestures
- Manipulate clipboard content
- Lock the user’s screen
- Generate misleading notifications
Cyble’s research indicates that it employs distinct command-and-control ports to manage commands, device status updates, and screen streaming.
Conclusion
Cyble asserts that OverlayPhantom has been operational since May 2025 and was identified amid investigations into URLs posing as official government sites. As financial security increasingly hinges on digital platforms, users must remain vigilant to protect their information from evolving cybersecurity threats.
