A new Android banking trojan is targeting more than 180 banking, financial and cryptocurrency applications across 10 countries.
The cybersecurity firm Cyble says the malware is called OverlayPhantom and is being distributed through malicious URLs that impersonate trusted applications.
Cyble says the malware uses a two-stage infection chain, beginning with a dropper app that has impersonated ID Austria, Austria’s official government identity application, and TikTok. Once installed, OverlayPhantom disguises itself as Google Play Services and abuses Android’s Accessibility Service to gain elevated control over the infected device.
The malware targets banking, financial and cryptocurrency apps in the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain and the United Kingdom.
The firm says OverlayPhantom can execute more than 30 remote commands, conduct real-time screen streaming, display fake overlays and exfiltrate harvested credentials through command-and-control infrastructure.
The malware monitors the victim’s foreground applications and checks whether the app is included in its hardcoded target list. When a match is found, it displays a fake WebView overlay designed to resemble the legitimate application. Those overlays can capture usernames, passwords, card details, PINs and other sensitive information.
According to Cyble, the malware can also simulate gestures, manipulate clipboard content, lock the device screen and display fake notifications. The report says OverlayPhantom uses separate command-and-control ports for command dispatch, device status reporting and screen streaming.
Cyble says the malware has been active since May 2025 and was uncovered during an investigation into government-themed URL impersonation.
Follow us on X, Facebook and Telegram
Don’t Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Surf The Daily Hodl Mix
Generated Image: Midjourney
