CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

A dangerous new Android banking trojan called OverlayPhantom has been quietly targeting users across ten countries, placing banking credentials, financial data, and cryptocurrency accounts at serious risk. The malware has been active since May 2025 and spreads through malicious links disguised as downloads from trusted, well-known applications. What makes OverlayPhantom particularly alarming is how it […] The post Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices By Tushar Subhra Dutta June 1, 2026 A dangerous new Android banking trojan called OverlayPhantom has been quietly targeting users across ten countries, placing banking credentials, financial data, and cryptocurrency accounts at serious risk. The malware has been active since May 2025 and spreads through malicious links disguised as downloads from trusted, well-known applications. What makes OverlayPhantom particularly alarming is how it gets onto a device. It uses a two-stage infection process, starting with a dropper app that pretends to be either ID Austria, the official Austrian government identity application, or the popular platform TikTok. Victims are tricked into installing what appears to be a routine system update, and from that point, the malware takes hold. Analysts at Cyble Research and Intelligence Labs (CRIL) uncovered OverlayPhantom while investigating government-themed URL impersonation campaigns.  Cyble said in a report shared with Cyber Security News (CSN) that the malware targets more than 180 banking, financial services, and cryptocurrency applications across the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom. Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it nearly impossible for an average user to spot or remove. OverlayPhantom’s targets (Source – Cyble) From that position, it abuses Android’s Accessibility Service, a built-in feature designed to help users with disabilities, to take persistent control of the infected device. The threat actor can then issue over 30 remote commands to manipulate the device without the victim ever noticing. The breadth of its reach, paired with the technical sophistication behind its design, points to a financially motivated group running a large-scale fraud operation. With over 180 targeted apps and victims spread across Western markets, OverlayPhantom is far from a small campaign. Android Banking Trojan OverlayPhantom The Accessibility Service abuse is what gives OverlayPhantom its real power over infected devices. Once the victim grants this permission, guided through a tutorial embedded in the dropper app, the malware connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122. The C&C traffic is divided across three dedicated ports: port 9091 for issuing commands, port 9092 for device status updates, and port 9090 for live screen streaming. This multi-port setup keeps communication running reliably and harder to block. The malware uses Android’s MediaProjection API to stream the victim’s screen in near real time using JPEG compression, giving the attacker a live view of everything on the device. The remote command set covers a wide range of actions. The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords. Google Play Update lure to install OverlayPhantom (Source – Cyble) These controls let the threat actor perform unauthorized transactions without the victim ever knowing. Overlay Attacks Targeting Banking and Cryptocurrency Apps OverlayPhantom keeps a hardcoded list of target applications embedded in its code. When the victim opens a banking or financial app, the malware silently checks whether that app is on its list. If there is a match, it pulls up a counterfeit HTML phishing page, renders it in a WebView layer, and places it over the legitimate application. The fake screen looks identical to the real one. The victim enters credentials believing they are logging into their actual bank or crypto wallet. That data is instantly harvested and sent to the C&C server without leaving any visible sign of compromise. This overlay technique is exactly what makes OverlayPhantom so effective and difficult for victims to detect. Counterfeit HTML phishing pages in the APK file (Source – Cyble) To stay protected, users should only download apps from official platforms like the Google Play Store and avoid clicking links received through SMS, email, or social media. Granting Accessibility Service permissions to any unfamiliar app should be avoided at all costs. Enabling multi-factor authentication on banking and financial apps adds a critical extra layer of defense, even when credentials are stolen. Keeping Android OS and installed apps regularly updated is equally important, as security patches often close the exact vulnerabilities that malware like OverlayPhantom exploits. Indicators of Compromise (IoCs):- Type Indicator Description URL hxxps://bitlrewards-app[.]com/api/download/IDAustria Distribution URL used to spread OverlayPhantom IP 199.217[.]99[.]122 C&C server IP address File Hash (SHA-256) 9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775f OverlayPhantom malware sample hash File Hash (SHA-256) 8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb8d OverlayPhantom malware sample hash File Hash (SHA-256) dc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a OverlayPhantom malware sample hash Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks Google Employee Charged for Making $1.2 Million With Confidential Information GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains Latest News Cyber Security News Attackers Abuse Docker and Kubernetes Misconfigurations to Compromise Host Systems Cyber Security News SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware Cyber Attack News Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware Cyber Security News Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection Cyber Security News SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗