Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

OverlayPhantom

OverlayPhantom is an Android banking trojan identified by Cyble Research and Intelligence Labs (CRIL) and reported as active since May 2025. It is distributed via malicious URLs using a two-stage infection chain in which dropper apps impersonate trusted applications such as Austria’s ID Austria app and TikTok, then trick victims into installing a fake system or Google Play update. After installation, the malware masquerades as Google Play Services and abuses Android Accessibility Service for persistent, high-privilege control of infected devices.

The malware targets users in ten countries: the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom. It targets more than 180 banking, financial services, and cryptocurrency applications. OverlayPhantom monitors the foreground app and compares it against a hardcoded target list; when a targeted app is opened, it displays a counterfeit HTML phishing page in a WebView over the legitimate application to steal usernames, passwords, payment card details, and other credentials. Reported capabilities include more than 30 remote commands, simulated taps, swipes, long presses and other gestures, clipboard manipulation, fake notifications, screen locking, and custom overlay windows for PIN, password, or pattern capture.

OverlayPhantom also supports near-real-time screen streaming using Android’s MediaProjection API with JPEG compression, using a VirtualDisplay named "jpeg-stream." Its command-and-control infrastructure is reported at 199.217.99.122, with port 9091 used for command delivery, port 9092 for device status reporting, and port 9090 for live screen streaming. A reported delivery URL is https://bitlrewards-app.com/api/download/IDAustria. Reported sample hashes include 9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775, f8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb, and 8ddc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a. The campaign is assessed in the source material as financially motivated and aimed at large-scale fraud.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.001DomainsEvidence1

OverlayPhantom, a new Android banking trojan spreading through malicious URLs.

Initial Access

1 technique
T1566PhishingEvidence2

If there is a match, it pulls up a counterfeit HTML phishing page, renders it in a WebView layer, and places it over the legitimate application.

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence1

The threat actor can then issue over 30 remote commands to manipulate the device without the victim ever noticing.

T1204User ExecutionEvidence1

Victims are tricked into installing what appears to be a routine system update, and from that point, the malware takes hold.

T1204.001Malicious LinkEvidence1

The malware has been active since May 2025 and spreads through malicious links disguised as downloads from trusted, well-known applications.

Persistence

1 technique
T1546.008Accessibility FeaturesEvidence2

Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it nearly impossible for an average user to spot or remove. From that position, it abuses Android’s Accessibility Service, a built-in feature designed to help users with disabilities, to take persistent control of the infected device.

Privilege Escalation

1 technique
T1546.008Accessibility FeaturesEvidence2

Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it nearly impossible for an average user to spot or remove. From that position, it abuses Android’s Accessibility Service, a built-in feature designed to help users with disabilities, to take persistent control of the infected device.

Stealth

1 technique
T1036MasqueradingEvidence2

It uses a two-stage infection process, starting with a dropper app that pretends to be either ID Austria, the official Austrian government identity application, or the popular platform TikTok.

Credential Access

1 technique
T1056Input CaptureEvidence1

The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords.

Collection

3 techniques
T1056Input CaptureEvidence1

The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords.

T1113Screen CaptureEvidence2

The malware uses Android’s MediaProjection API to stream the victim’s screen in near real time using JPEG compression, giving the attacker a live view of everything on the device.

T1115Clipboard DataEvidence1

The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Once the victim grants this permission... the malware connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122. The C&C traffic is divided across three dedicated ports: port 9091 for issuing commands, port 9092 for device status updates, and port 9090 for live screen streaming.

T1071.001Web ProtocolsEvidence1

That data is instantly harvested and sent to the C&C server without leaving any visible sign of compromise.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

exfiltrate stolen credentials to a multi-port Command and Control (C&C) server.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app21 days ago
uri●●●●●●●●●●●●View more in app21 days ago
ip.v4●●●●●●●●●●●●View more in app21 days ago
hash.sha256●●●●●●●●●●●●View more in app26 days ago
hash.sha256●●●●●●●●●●●●View more in app26 days ago
hash.sha256●●●●●●●●●●●●View more in app26 days ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Jun 1, 2026
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices

Android banking trojan that spreads via malicious links and a two-stage dropper masquerading as trusted apps, abuses Accessibility Service for persistent remote control, streams the victim screen via MediaProjection, and uses overlay phishing pages in WebView to steal banking, financial, and cryptocurrency credentials and facilitate unauthorized transactions.

Read more
gurucul threat researchNews
May 28, 2026
OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight | Community Portal | Gurucul

Android banking trojan that spreads via malicious URLs and fake dropper apps, disguises itself as Google Play Services, abuses Accessibility Services for persistent device control, executes more than 30 remote commands, streams the screen in real time, performs overlay phishing using embedded HTML, and exfiltrates stolen credentials to a multi-port C2 server.

Read more
malware newsNews
May 27, 2026
OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight - Malware News - Malware Analysis, News and Indicators

An Android banking trojan delivered via phishing URLs and a dropper app impersonating trusted applications. It abuses Android Accessibility Service for persistent control, performs overlay phishing against banking/financial/cryptocurrency apps, supports over 30 remote commands, streams the victim screen in near real time, and exfiltrates stolen credentials to its C2 infrastructure.

Read more
cyble blogNews
May 27, 2026
OverlayPhantom-android-banking-trojan-hiding In Plain Sight

Android banking trojan delivered via phishing URLs and a dropper app impersonating trusted applications. It abuses Android Accessibility Service for persistent control, performs overlay phishing against banking/financial/cryptocurrency apps, supports over 30 remote commands, streams the victim screen in near real time, and exfiltrates stolen credentials to a multi-port C2 infrastructure.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.