OverlayPhantom Android Banking Trojan Targets 180+ Financial Apps Across 10 Countries

OverlayPhantom exemplifies the next evolution of Android banking malware, merging classic phishing tactics with advanced device‑control capabilities. While Android trojans have long leveraged social engineering to gain a foothold, this campaign distinguishes itself by impersonating high‑trust entities such as a national ID app and TikTok, dramatically increasing download rates. By exploiting the Accessibility Service, the malware obtains system‑wide permissions that let it monitor inputs, simulate gestures, and remain persistent even after users attempt removal. This approach reflects a broader trend where threat actors prioritize stealth and longevity over simple payload delivery.

Technically, OverlayPhantom operates through a multi‑port command‑and‑control architecture, assigning distinct ports for status reporting, command execution, and live screen streaming. The embedded WebView overlay launches counterfeit login pages that mirror legitimate banking interfaces, capturing credentials in real time. Simultaneously, the MediaProjection‑based streaming module compresses screen captures to JPEGs, transmitting them over a low‑bandwidth channel that evades many network‑based detections. The trojan’s ability to issue more than thirty remote commands—including clipboard manipulation, volume control, and fake notifications—turns a compromised phone into a remote fraud workstation, enabling attackers to bypass two‑factor authentication and other defenses.

For financial institutions and users, the emergence of OverlayPhantom signals a heightened need for layered mobile security. Enterprises should enforce strict app verification, monitor for unauthorized Accessibility Service usage, and deploy mobile threat defense solutions that can detect anomalous overlay behavior. End users must be educated to verify source URLs, avoid sideloading APKs, and scrutinize permission requests. As the malware’s authors continue to refine distribution lures and expand target lists, the threat landscape will likely see more hybrid attacks that blend credential harvesting with real‑time surveillance, demanding proactive, adaptive defenses across the mobile banking ecosystem.