A newly discovered Android banking malware called OverlayPhantom has been identified by cybersecurity researchers as a serious threat to mobile users. The malware is mainly designed to steal banking credentials and monitor activity on infected devices. Researchers say it can also give attackers remote access to smartphones. The threat was recently discovered during investigations into Android banking malware campaigns.
According to researchers, OverlayPhantom spreads through malicious applications and fake download links shared with users. Victims are usually tricked into installing what looks like a genuine application update on their devices. In several cases, the malware displayed a fake Google Play update screen during installation. This made the process appear safe and trustworthy to unsuspecting users.
After installation, the malware hides itself by pretending to be Google Play Services on the device. This makes it difficult for users to identify suspicious behavior or remove the malicious application. OverlayPhantom then requests permission for Android Accessibility Services from the victim. Accessibility Services are legitimate Android features designed to assist users with disabilities.
If Accessibility permissions are granted, the malware gains extensive control over the infected smartphone. Researchers found that it can monitor screen activity and perform gestures like taps and swipes. It is also capable of navigating applications without the victim noticing anything suspicious. This allows attackers to maintain long-term control over infected devices in the background.
One of the most dangerous features of OverlayPhantom is its ability to launch overlay attacks on users. The malware constantly checks which applications are currently open on the device at any moment. When a targeted banking or cryptocurrency app is launched, a fake login screen appears over it. Victims may unknowingly enter usernames, passwords, and PINs into these phishing interfaces.
Researchers reported that the malware currently targets more than 180 banking and cryptocurrency applications worldwide. The campaign has affected users across at least 10 different countries according to available reports. This wide targeting range suggests that the attackers are operating a large and organized cybercrime campaign. The main goal appears to be stealing financial credentials and sensitive account information.
OverlayPhantom also includes a screen-monitoring feature that allows attackers to watch victim activity remotely. By abusing Android’s MediaProjection API, the malware can capture screen content in real time. The collected information is then transmitted back to attacker-controlled servers for monitoring purposes. Researchers believe this feature makes the malware especially dangerous during banking sessions.
Security experts warn that Android malware campaigns like OverlayPhantom may continue growing in sophistication and scale. Users are advised to install applications only from trusted platforms such as the Google Play Store. Experts also recommend avoiding suspicious download links received through emails, messages, or social media. Enabling multi-factor authentication can provide an additional layer of protection for banking accounts.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
