Cybersecurity firm Cyble has identified a new Android banking trojan called OverlayPhantom that targets more than 180 banking, financial and cryptocurrency applications across 10 countries. The malware has been active since May 2025 and was uncovered during an investigation into government-themed URL impersonation. OverlayPhantom is distributed through malicious URLs that impersonate trusted applications and uses a two-stage infection chain beginning with a dropper app that has impersonated ID Austria, Austria's official government identity application, and TikTok.
OverlayPhantom Uses Two-Stage Infection Chain to Gain Device Control
Cyble says the malware uses a two-stage infection chain that begins with a dropper app impersonating trusted applications. Once installed, OverlayPhantom disguises itself as Google Play Services and abuses Android's Accessibility Service to gain elevated control over the infected device. The malware was distributed through malicious URLs that impersonated ID Austria, Austria's official government identity application, and TikTok.
Malware Targets Banking and Crypto Apps in 10 Countries
The malware targets banking, financial and cryptocurrency apps in the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain and the United Kingdom. According to Cyble, OverlayPhantom monitors the victim's foreground applications and checks whether the app is included in its hardcoded target list.
OverlayPhantom Executes 30+ Remote Commands and Displays Fake Overlays
Cyble says OverlayPhantom can execute more than 30 remote commands, conduct real-time screen streaming, display fake overlays and exfiltrate harvested credentials through command-and-control infrastructure. When a match is found with a targeted app, the malware displays a fake WebView overlay designed to resemble the legitimate application. Those overlays can capture usernames, passwords, card details, PINs and other sensitive information. According to Cyble, the malware can also simulate gestures, manipulate clipboard content, lock the device screen and display fake notifications. The report says OverlayPhantom uses separate command-and-control ports for command dispatch, device status reporting and screen streaming.
FAQ
What is OverlayPhantom and when was it discovered?
OverlayPhantom is a new Android banking trojan identified by cybersecurity firm Cyble. The malware has been active since May 2025 and was uncovered during an investigation into government-themed URL impersonation.
How does OverlayPhantom infect devices?
OverlayPhantom is distributed through malicious URLs that impersonate trusted applications. The malware uses a two-stage infection chain beginning with a dropper app that has impersonated ID Austria, Austria's official government identity application, and TikTok. Once installed, it disguises itself as Google Play Services and abuses Android's Accessibility Service to gain elevated control over the infected device.
Which countries and apps does OverlayPhantom target?
The malware targets more than 180 banking, financial and cryptocurrency applications across 10 countries: the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain and the United Kingdom.
