Cyble Research and Intelligence Labs (CRIL) has identified a novel Android banking trojan, dubbed OverlayPhantom, actively distributed in the wild via

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

Cyble Research and Intelligence Labs has uncovered OverlayPhantom, a new Android banking trojan active since May 2025. It uses a two-stage infection chain: a dropper impersonating trusted apps (Austria's ID Austria government app and TikTok) tricks users into installing the payload, which then masquerades as Google Play Services. The malware abuses Android's Accessibility Service to gain persistent device control, supports 30+ remote commands, performs WebView-based HTML overlay attacks against 180+ banking and crypto apps across 10 countries, and streams the victim's screen in real-time via JPEG using the MediaProjection API. C&C traffic is split across three non-standard ports (9090–9092). IOCs including distribution URLs, C&C IP, and SHA256 hashes are provided.

OverlayPhantom-android-banking-trojan-hiding In Plain Sight