A critical alert highlights the detection of a significant Android banking trojan threat, named OverlayPhantom, which is rapidly expanding across Western markets. The malware is disseminated through deceptive download links disguised as popular applications, such as TikTok and a government ID app. Once installed, it employs a sophisticated two-stage infection chain to leverage deep operating system permissions and monitor user activity.
OverlayPhantom targets over 180 banking and finance apps using WebView-based phishing overlays that mimic legitimate interfaces, allowing for the seamless theft of credentials. It features capabilities for real-time screen streaming and executes commands through a multi-port infrastructure to avoid detection.
To mitigate risks, organizations are advised to restrict downloads from unverified sources, regularly audit app permissions, and monitor network traffic for anomalies. Prompt action is necessary to protect users from this evolving threat.