A new Android banking trojan is targeting more than 180 banking, financial and cryptocurrency applications across 10 countries.
The cybersecurity firm Cyble says the malware is called OverlayPhantom and is being distributed through malicious URLs that impersonate trusted applications.
Cyble says the malware uses a two-stage infection chain, beginning with a dropper app that has impersonated ID Austria, Austria’s official government identity application, and TikTok. Once installed, OverlayPhantom disguises itself as Google Play Services and abuses Android’s Accessibility Service to gain elevated control over the infected device.
The malware targets banking, financial and cryptocurrency apps in the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain and the United Kingdom.
The firm says OverlayPhantom can execute more than 30 remote commands, conduct real-time screen streaming, display fake overlays and exfiltrate harvested credentials through command-and-control infrastructure.
The malware monitors the victim’s foreground applications and checks whether the app is included in its hardcoded target list. When a match is found, it displays a fake WebView overlay designed to resemble the legitimate application. Those overlays can capture usernames, passwords, card details, PINs and other sensitive information.
According to Cyble, the malware can also simulate gestures, manipulate clipboard content, lock the device screen and display fake notifications. The report says OverlayPhantom uses separate command-and-control ports for command dispatch, device status reporting and screen streaming.
Cyble says the malware has been active since May 2025 and was uncovered during an investigation into government-themed URL impersonation.
Follow us on X, Facebook and Telegram
Don’t Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Surf The Daily Hodl Mix
 
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any assets including cryptocurrencies, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Generated Image: Midjourney
The post Malware Targets 180 Banking, Financial and Crypto Apps, Displays Fake Screens To Capture PINs and Take Over Accounts: Cyble appeared first on The Daily Hodl.
Bitcoin 
Ethereum 
Tether 
BNB 
XRP 
USDC 
Solana 
TRON 
Lido Staked Ether 
Figure Heloc 
Hyperliquid 
Dogecoin 
USDS 
Zcash 
LEO Token 
Wrapped stETH 
Cardano 
Rain 
Wrapped Bitcoin 
Stellar 
Binance Bridged USDT (BNB Smart Chain) 
Monero 
Wrapped Beacon ETH 
Chainlink 
WhiteBIT Coin 
Canton 
Wrapped eETH 
Toncoin 
Bitcoin Cash 
LAB 
sUSDS 
USD1 
Ethena USDe 
Coinbase Wrapped BTC 
Dai 
MemeCore 
Hedera 
WETH 
Litecoin 
Avalanche 
Sui 
USDT0 
NEAR Protocol 
Shiba Inu 
PayPal USD 
Circle USYC 
Cronos 
Tether Gold 
Global Dollar 
Ethena Staked USDe