A dangerous new Android banking trojan called OverlayPhantom has been quietly targeting users across ten countries, placing banking credentials, financial data, and cryptocurrency accounts at serious risk. Active since May 2025, the malware spreads through malicious links disguised as legitimate application downloads, including fake updates for ID Austria (the official Austrian government identity app) and the popular platform TikTok.
How OverlayPhantom Infects Devices
OverlayPhantom uses a sophisticated two-stage infection process. The first stage involves a dropper app that masquerades as a routine system update. Victims are tricked into installing the dropper, after which the malware disguises itself as “Google Play Services,” making it nearly impossible for average users to spot or remove.
Once installed, the malware abuses Android’s Accessibility Service — a feature designed to assist users with disabilities — to gain persistent control of the infected device. Researchers at Cyble Research and Intelligence Labs (CRIL) uncovered OverlayPhantom while investigating government-themed URL impersonation campaigns, revealing that it targets more than 180 banking, financial services, and cryptocurrency applications across the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom.
Technical Capabilities and Command Infrastructure
After gaining Accessibility Service permission — guided via a tutorial built into the dropper — the malware connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122. Its C&C traffic is divided across three dedicated ports:
- Port 9091 — for issuing commands
- Port 9092 — for device status updates
- Port 9090 — for live screen streaming via Android’s MediaProjection API
This multi-port setup keeps communication running reliably and harder to block. The attacker can issue over 30 remote commands to manipulate the device, including simulating taps, swipes, and long presses; locking the screen; manipulating clipboard contents; displaying fake notifications; and launching overlay windows to capture PIN codes or passwords.
Overlay Phishing: The Core Attack
What makes OverlayPhantom especially effective is its overlay attack capability. When a victim opens a banking or financial application, the malware silently checks whether that app is on its hardcoded target list. If there is a match, it pulls up a counterfeit HTML phishing page rendered in a WebView layer, placed directly over the legitimate application. The fake screen looks identical to the real one.
The victim enters credentials believing they are logging into their actual bank or crypto wallet. That data is instantly harvested and sent to the C&C server without leaving any visible sign of compromise. This overlay technique makes OverlayPhantom extremely difficult for victims to detect.
Scale and Attribution
The breadth of the campaign — more than 180 targeted applications, victims across ten Western markets — points to a financially motivated threat group running a large-scale fraud operation. The two distribution lures (ID Austria and TikTok) are carefully chosen to maximize reach across different demographics and geographies.
How to Protect Yourself
Security experts urge Android users to take the following protective steps:
- Only download apps from the official Google Play Store; never install APKs from links received via SMS, email, or social media.
- Never grant Accessibility Service permissions to unfamiliar applications.
- Enable multi-factor authentication (MFA) on all banking and financial applications.
- Keep the Android OS and all installed apps updated regularly, as security patches often close the vulnerabilities that malware like OverlayPhantom exploits.
- Use a reputable mobile security solution capable of detecting overlay attacks.
Organizations should also deploy mobile device management (MDM) policies that restrict sideloading and enforce app vetting before deployment on corporate-owned devices. The combination of overlay phishing, remote device control, and sophisticated C&C infrastructure makes OverlayPhantom one of the more technically capable Android banking trojans observed in 2026.