OverlayPhantom Mobile Threat

OverlayPhantom is a dangerous Android banking trojan that disguises itself as legitimate software, steals banking credentials through fake overlays, and gives attackers remote control over infected devices. Once active, it can hijack cryptocurrency wallets, intercept login data, and manipulate the phone using Accessibility Services.

Threat Type	Android Banking Trojan / Mobile Malware
Detection Names	Avast-Mobile (APK:RepMalware [Trj]), ESET-NOD32 (Android/Spy.Agent.FXI Trojan), Kaspersky (HEUR:Trojan-Banker.AndroidOS.Agent.abp), Combo Cleaner (Android.Riskware.Agent.aDXKN)
Symptoms	Fake login screens, unusual battery drain, overheating, unauthorized Accessibility permissions, suspicious “Google Play Services” app entries, banking app redirects, lagging performance
Damage & Distribution	Banking credential theft, cryptocurrency wallet compromise, screen recording, remote device control, phishing APKs, fake TikTok apps, fake government apps, malicious third‑party downloads
Danger Level	High

How OverlayPhantom Gets Installed on Android

OverlayPhantom spreads through malicious APK files hosted on phishing websites that impersonate trusted brands and government services. Researchers discovered campaigns abusing fake versions of Austria’s ID Austria application as well as counterfeit TikTok installers.

After the victim installs the APK, the malware displays a fake Google Play Services update prompt. The goal is to trick users into granting Android Accessibility permissions — one of the most abused permissions in modern banking trojans. Once enabled, OverlayPhantom gains extensive control over the device.

Common infection methods include:

• Fake app download pages
• Third-party Android app stores
• Links sent through SMS or messaging apps
• Social media phishing campaigns
• Fake software update prompts
• Trojanized APK installers

Cybercriminals increasingly rely on social engineering instead of technical exploits. The malware convinces users to voluntarily install it and approve dangerous permissions.

What OverlayPhantom Does on Your Phone

Once active, OverlayPhantom immediately hides itself under the name “Google Play Services” to avoid suspicion. It then begins monitoring apps running on the device.

The malware’s most dangerous feature is its overlay attack capability. When you open a banking or cryptocurrency app, OverlayPhantom places a fake login page over the legitimate app. Victims unknowingly enter credentials directly into the attacker’s phishing form.

OverlayPhantom targets more than 180 financial and cryptocurrency applications across multiple countries, including:

• United States
• United Kingdom
• Germany
• Spain
• France
• Italy
• Netherlands
• Australia
• Belgium
• Finland

Researchers found that the malware can also:

• Capture screen activity in real time
• Simulate taps and gestures
• Intercept typed input
• Modify clipboard content
• Push fake notifications
• Lock or dim the screen
• Execute remote commands
• Abuse Accessibility Services for persistence

The malware communicates with remote command servers over multiple ports, making its traffic harder to detect.

Modern Android banking trojans increasingly combine overlay attacks with full remote-access capabilities. Similar tactics have appeared in malware families like Anatsa, Sturnus, and RatOn.

Should You Factory Reset After OverlayPhantom?

A factory reset is often the safest option if OverlayPhantom gained Accessibility privileges or device administrator rights. Banking trojans frequently embed persistence mechanisms that survive ordinary uninstall attempts.

Before performing a reset:

1. Disconnect the device from Wi‑Fi and mobile data
2. Remove Accessibility permissions from suspicious apps
3. Disable unknown device administrator apps
4. Back up only essential personal files
5. Avoid restoring suspicious APKs afterward

You should also:

• Change banking passwords immediately
• Reset cryptocurrency wallet credentials
• Monitor bank transactions
• Enable multi-factor authentication
• Notify your financial institutions

If the infection appears severe or persists after removal attempts, a full factory reset is strongly recommended.

Manual Removal Steps for OverlayPhantom

Remove Suspicious Apps

1. Open Settings
2. Tap Apps
3. Look for unknown applications or fake “Google Play Services” entries
4. Uninstall suspicious apps

Disable Accessibility Permissions

1. Open Settings
2. Go to Accessibility
3. Review enabled services
4. Disable suspicious entries immediately

Remove Device Administrator Rights

1. Open Settings
2. Tap Security
3. Open Device Admin Apps
4. Revoke administrator access from unknown apps

Boot Android into Safe Mode

Safe Mode temporarily disables third‑party applications and may allow removal of stubborn malware.

Scan the Device

Use reputable mobile security software to perform a full device scan and remove malicious files.

Conclusion

OverlayPhantom is one of the more advanced Android banking trojans currently circulating. Its combination of overlay phishing, remote device control, Accessibility abuse, and screen streaming makes it especially dangerous for users who rely on mobile banking and cryptocurrency apps.

The malware’s operators rely heavily on fake APK installers and social engineering rather than exploiting Android vulnerabilities directly. Avoid sideloaded apps, deny unnecessary Accessibility permissions, and stick to official app sources whenever possible.