A new Android banking trojan is targeting more than 180 banking, financial and cryptocurrency applications across 10 countries.
The cybersecurity firm Cyble says the malware is called OverlayPhantom and is being distributed through malicious URLs that impersonate trusted applications.
Cyble says the malware uses a two-stage infection chain, beginning with a dropper app that has impersonated ID Austria, Austria’s official government identity application, and TikTok. Once installed, OverlayPhantom disguises itself as Google Play Services and abuses Android’s Accessibility Service to gain elevated control over the infected device.
The malware targets banking, financial and cryptocurrency apps in the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain and the United Kingdom.
The firm says OverlayPhantom can execute more than 30 remote commands, conduct real-time screen streaming, display fake overlays and exfiltrate harvested credentials through command-and-control infrastructure.
The malware monitors the victim’s foreground applications and checks whether the app is included in its hardcoded target list. When a match is found, it displays a fake WebView overlay designed to resemble the legitimate application. Those overlays can capture usernames, passwords, card details, PINs and other sensitive information.
According to Cyble, the malware can also simulate gestures, manipulate clipboard content, lock the device screen and display fake notifications. The report says OverlayPhantom uses separate command-and-control ports for command dispatch, device status reporting and screen streaming.
Cyble says the malware has been active since May 2025 and was uncovered during an investigation into government-themed URL impersonation.
Follow us on X @InvCryptoDaily
Don’t Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
___________________
Images May Be Sourced From Pixabay, Creative Commons & Midjourney
This post Malware Targets 180 Banking, Financial and Crypto Apps, Displays Fake Screens To Capture PINs and Take Over Accounts: Cyble may be modified as updates unfold.
Please note, this site provides content for entertainment purposes only and does not offer financial advice. Read more here
