An emerging threat known as the OverlayPhantom trojan is putting Android users at risk across ten countries by targeting banking credentials and cryptocurrency accounts. This malware, active since May 2025, is distributed via deceptive links disguised as downloads from reputable applications.
Two-Stage Infection Method
OverlayPhantom employs a sophisticated two-stage infection strategy. Initially, a dropper application masquerades as either the Austrian government’s ID Austria app or the popular TikTok platform. Users are deceived into installing what appears to be a routine update, allowing the malware to infiltrate the device.
Experts from Cyble Research and Intelligence Labs (CRIL) uncovered this malicious software during an investigation into URL impersonation campaigns. According to Cyble’s report shared with Cyber Security News, OverlayPhantom targets over 180 banking, financial, and cryptocurrency applications across countries including the United States and several in Europe.
Exploiting Accessibility Services
Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it difficult for users to detect. It exploits Android’s Accessibility Service, a feature designed for assisting users with disabilities, granting persistent control over the device. The attackers can issue over 30 remote commands to manipulate the device unnoticed.
This extensive reach and technical sophistication suggest a financially driven group behind the large-scale fraud operation. With a wide array of targeted applications, OverlayPhantom represents a significant threat in Western markets.
Phishing Techniques and Prevention
OverlayPhantom maintains a hardcoded list of targeted apps. When a user opens a financial app, the malware checks if it’s on the list and then displays a counterfeit HTML phishing page over the legitimate app. This technique allows the malware to capture login credentials and send them to the command and control server without alerting the user.
To mitigate risks, users should download apps only from official sources such as the Google Play Store and avoid clicking links from untrusted sources. It is crucial to deny Accessibility Service permissions to unfamiliar apps and enable multi-factor authentication for added security.
Regular updates to the Android operating system and installed applications are also vital in closing vulnerabilities that malware like OverlayPhantom exploits.
Indicators of compromise include specific URLs, IP addresses, and file hashes associated with OverlayPhantom, which should be monitored to prevent infection. Users and organizations are encouraged to implement these protective measures to safeguard against this pervasive threat.
