Date: 05/28/2026
Severity: High
Summary
Security researchers have discovered OverlayPhantom, a new Android banking trojan spreading through malicious URLs. The malware utilizes a two-stage infection process, relying on dropper apps that impersonate trusted platforms like TikTok and the Austrian government’s "ID Austria" app to trick users. Once installed, OverlayPhantom hides behind the guise of “Google Play Services” and exploits Android’s Accessibility Services for persistent, high-level device control. It can execute over 30 remote commands, stream the device's screen in real time, launch overlay phishing attacks via embedded HTML, and exfiltrate stolen credentials to a multi-port Command and Control (C&C) server.
Indicators of Compromise (IOC) List
Domains/URLs : | https://bitlrewards-app.com/api/download/IDAustria |
IP Address : | 199.217.99.122 |
Hash : | 9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775
F8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb
8ddc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://bitlrewards-app.com/api/download/IDAustria" or url like "https://bitlrewards-app.com/api/download/IDAustria" or siteurl like "https://bitlrewards-app.com/api/download/IDAustria" |
Detection Query 2 : | dstipaddress IN ("199.217.99.122") or srcipaddress IN ("199.217.99.122") |
Detection Query 3 : | sha256hash IN ("8ddc1f2a75f3d5b5bd054a5367bd5015ebc90f3453d63c7cce438c12dc2ae86a","f8b614a2918378063d6e6655b676ceb52ae65b1510e2cc08087fcac31acb7aeb","9ef37376bfaa18e193cc72218924ad8ebf56d2667d348f0eae5ae6ec45ab8775")
|
Reference:
https://cyble.com/blog/overlayphantom-android-banking-trojan/