Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
A new Android banking trojan dubbed OverlayPhantom is targeting users across ten countries by abusing Accessibility Services to steal credentials from over 180 financial applications.
A sophisticated Android banking trojan known as OverlayPhantom has been identified as a significant threat to mobile users, with activity dating back to May 2025. The malware, which targets users in the United States, Australia, Germany, and several other European nations, employs a deceptive two-stage infection process. Attackers distribute the malware via malicious links that masquerade as legitimate software, such as the ID Austria government identity app or the popular social media platform TikTok. Once a victim is tricked into installing the dropper, the malware initiates a persistent infection that disguises itself as 'Google Play Services' to evade detection and removal by the end user.
At the core of OverlayPhantom's functionality is the abuse of Android's Accessibility Service. While this feature is intended to assist users with disabilities, the malware leverages it to gain deep, persistent control over the infected device. After the user is guided through a tutorial to grant the necessary permissions, the malware establishes a connection to a Command and Control (C&C) server located at 199.217[.]99[.]122. This infrastructure utilizes a multi-port communication strategy, with separate ports dedicated to command execution, status reporting, and live screen streaming, ensuring the attacker maintains a reliable link to the compromised device.
The malware's capabilities are extensive, allowing threat actors to perform over 30 distinct remote commands. By utilizing the MediaProjection API, attackers can stream the victim's screen in near real-time using JPEG compression, providing them with a live view of the device's activity. Furthermore, the malware can simulate user interactions such as taps, swipes, and long presses, as well as manipulate clipboard contents, display fake system notifications, and lock the screen. These features enable the attackers to conduct unauthorized financial transactions without the victim's knowledge.
OverlayPhantom is specifically designed to target over 180 banking, financial services, and cryptocurrency applications. When a user opens a targeted application, the malware detects the event and silently overlays a counterfeit HTML phishing page rendered via a WebView layer. Because the fake interface is visually identical to the legitimate application, victims are often deceived into entering their credentials, which are then harvested and transmitted to the C&C server. This overlay technique remains one of the most effective methods for credential theft on the Android platform.
Security researchers at Cyble Research and Intelligence Labs (CRIL) have emphasized the importance of defensive measures to mitigate this threat. Users are strongly advised to download applications exclusively from official sources like the Google Play Store and to exercise extreme caution regarding links received via SMS, email, or social media. Furthermore, users should avoid granting Accessibility Service permissions to any untrusted or unfamiliar applications. Enabling multi-factor authentication on all financial accounts and keeping the Android operating system updated are critical steps in reducing the risk of successful exploitation by OverlayPhantom and similar mobile threats.