OverlayPhantom The Android Banking Trojan Hiding in Plain Si...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://cyble.com/blog/overlayphantom-android-banking-trojan/
• Blog Title: OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight
• Suggested Section: Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse / Mobile Phishing Malicious Apps

🎯 Content Summary

OverlayPhantom is a previously undocumented Android banking trojan analyzed by Cyble Research and Intelligence Labs (CRIL) and published on May 27, 2026. The malware has reportedly been active since early May 2025 and is distributed in the wild through malicious/phishing URLs that impersonate trusted applications.

Initial access and lures: CRIL first found a malicious APK hosted at hxxps://bitlrewards-app[.]com/api/download/IDAustria, masqueradin...

🔧 Technical Details

Accessibility-based overlay phishing: A malicious Android app with Accessibility Service permission can monitor the foreground package name and compare it against a target list. When a matching banking, finance, or cryptocurrency app is opened, the malware can load a fake HTML page from APK resources, render it in a WebView, and display it above the legitimate app. This causes the victim to type credentials or card details into the attacker-controlled overlay while believing they are interacting with the real application.

Social-engineered permission escalation: Instead of relying on a technical CVE, Android malware can use a dropper that impersonates a trusted update, such as a Google Play service update, and provides step-by-step instructions to make the victim enable Accessibility Service. Once granted, Accessibility provides enough UI automation power to observe app launches, click buttons, enter text, read UI nodes, manipulate navigation, and as...

🤖 Agent Actions

Done.

Updated:

• src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

Added concise technical content for:

• APK-bundled HTML/WebView overlay kits keyed by foreground package
• Accessibility RAT command families (pinj, notif, blankScreen, clipboard injection, gesture replay)
• Split-port mobile C2 design for commands/status/JPEG stream separation
• MediaProjection + VirtualDisplay + ImageReader + acquireLatestImage() JPEG streaming workflow with retry logic

Also added the blog to the file’s ## References:

• https://cyble.com/blog/overlayphantom-android-banking-trojan/

Validation:

• Reviewed diff successfully
• mdbook build could not be executed because mdbook is not installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://cyble.com/blog/overlayphantom-android-banking-trojan/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse / Mobile Phishing Malicious Apps".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0