OverlayPhantom is a mature Android banking trojan discovered in May 2025 that uses a two-stage infection chain to achieve persistent, high-privilege control of victim devices. The campaign begins with a dropper APK distributed via malicious URLs that impersonate high-trust lures—government identity apps and popular consumer platforms—to socially engineer users into installing the payload. Once installed, the payload requests and abuses Android’s Accessibility Service, then masquerades as a system component to evade detection and removal. The combination of social-engineering lures, Accessibility abuse, and embedded phishing overlays positions OverlayPhantom as a high-risk, financially motivated threat targeting retail banking and cryptocurrency users across multiple Western markets.
Technical Analysis
OverlayPhantom’s architecture is deliberately modular and resilient. The dropper stage presents a convincing fake Google Play update UI and an interactive tutorial that walks victims through enabling Accessibility permissions. After the payload installs, it registers itself under a system-like name and immediately establishes a socket-based connection to a remote Command and Control (C&C) server. The malware distributes its C&C traffic across three dedicated non-standard ports to separate responsibilities: device status reporting, command dispatch, and screen streaming. This separation reduces single-point failure and simplifies operator workflows while complicating network detection.
Command Set and Remote Control
The payload implements over 30 remote commands enabling fine-grained remote control. Commands include automated gesture simulation (tap, doubleTap, swipe, draw), UI navigation (openRecents, back, home), device state manipulation (switchOffScreen, blankScreen), clipboard injection (buf), and overlay-specific actions (pinj, notif). Operators can register devices with a BotID, reset injection lists, and toggle streams of Accessibility node information. This command breadth allows the actor to automate credential harvesting, simulate legitimate user interactions, and maintain stealthy persistence.
Overlay Attacks and Screen Streaming
OverlayPhantom bundles WebView-based HTML phishing pages inside the APK and maintains a hardcoded target list of over 180 banking, finance, and cryptocurrency applications. When a targeted app comes to the foreground, the malware renders the corresponding phishing page in an overlay window that is visually indistinguishable from the legitimate app. Credentials entered into these overlays are harvested and exfiltrated silently to the C&C infrastructure.
Screen exfiltration is implemented via a JPEG-based streaming pipeline using Android’s MediaProjection API. The malware creates a VirtualDisplay, captures frames via an ImageReader, resizes output to a fixed width to conserve bandwidth, compresses frames to JPEG, and streams them over TCP to the operator on a dedicated port. The streaming loop includes retry and backoff logic to handle socket failures and avoid indefinite reconnection attempts, giving operators near real-time visual access to victim activity with modest bandwidth usage.
Victimology and Impact
OverlayPhantom has been observed targeting users across 10 countries, including the United States, Australia, and multiple EU states, and is configured to target over 180 financial and crypto applications. The campaign’s use of both government and consumer lures indicates a deliberate distribution diversification strategy designed to maximize installation rates across different user demographics. The operational profile—multi-port C&C, embedded phishing overlays, Accessibility abuse, and real-time streaming—supports large-scale automated fraud, account takeover, and unauthorized transactions with minimal user-visible indicators.
Recommendations and Our Opinion
Recommendations
- Install apps only from trusted sources and avoid links from SMS, email, or social media.
- Deny Accessibility permissions to apps that do not explicitly require them for core functionality.
- Enable multi-factor authentication on all financial and crypto accounts.
- Use mobile security solutions with real-time scanning and behavior-based detection.
- Report suspicious activity to banks and authorities and consider a factory reset if compromise is suspected.
- Keep OS and apps updated to ensure security patches are applied promptly.
Our Opinion
OverlayPhantom exemplifies how incremental technical capabilities, when combined with sophisticated social engineering, produce outsized operational risk. The malware does not rely on a single novel exploit; instead, it fuses well-known techniques—dropper-based distribution, Accessibility Service abuse, embedded phishing overlays, and MediaProjection-driven screen capture—into a cohesive, scalable platform. This engineering approach lowers development complexity while maximizing impact: hardcoded overlays remove the need for dynamic phishing hosting, Accessibility abuse provides near-complete control of the UI, and JPEG streaming balances visibility with bandwidth efficiency. The actor’s choice of lures—government identity services and mainstream consumer apps—demonstrates an understanding of trust dynamics and user behavior, increasing the likelihood of successful installs. From a defensive standpoint, the campaign underscores the importance of minimizing unnecessary permissions, enforcing strict app provenance policies, and deploying behavioral detection that flags unusual Accessibility usage or persistent background services masquerading as system components. Financial institutions and platform providers should prioritize anomaly detection for session behavior and rapid revocation workflows for compromised credentials. In short, OverlayPhantom is a reminder that layered defenses—user education, platform hardening, and telemetry-driven detection—are essential to blunt modern mobile fraud campaigns.
Conclusion
OverlayPhantom is a methodically engineered Android banking trojan that combines social engineering, Accessibility Service abuse, embedded phishing overlays, and efficient screen streaming to enable large-scale financial fraud. Organizations and users in the affected geographies should treat this threat with urgency, applying the recommended mitigations and monitoring for indicators such as unexpected Accessibility permission grants, unknown services labeled as Google Play Services, and outbound connections to non-standard ports.
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| hxxps://bitlrewards-app[.]com/api/download/IDAustria | URL | Distribution URL |
| 199.217[.]99[.]122 | IP | C&C server |
| 9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775 f8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb 8ddc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a | FileHash-SHA256 | OverlayPhantom Hash |
