Overlay Phantom

The malware currently targets over 180 banking, finance, and cryptocurrency applications across 10 countries using embedded WebView-based HTML phishing overlays that are visually indistinguishable from the legitimate apps they impersonate.

one package masquerades as the official Austrian government identity application, ID Austria . Meanwhile, another variant pretends to be the high-popularity consumer platform, TikTok . Subsequently, the dropper displays a convincing Google Play update notification.

It loads pre-built assets to display credential harvesting overlays seamlessly above authentic interfaces . As a result, users enter their passwords without noticing any anomalous behavior.

It loads pre-built assets to display credential harvesting overlays seamlessly above authentic interfaces . As a result, users enter their passwords without noticing any anomalous behavior.

It leverages Android’s native MediaProjection API to capture the device screen constantly . Then, it compresses the visual assets into JPEG format to minimize bandwidth overhead .

To execute this, the malware establishes a dedicated TCP connection to its backend server . Interestingly, the backend architecture does not rely on a single communication line . Instead, the malware separates traffic across three distinct non-standard ports . Specifically, port 9091 handles operator command execution . Meanwhile, port 9092 tracks basic device status reports . Finally, port 9090 manages the outgoing screen streaming data .

the command framework supports over 30 remote administrative commands . For example, operators can manipulate active clipboard items or simulate touch gestures . They can also trigger fake notification banners to force user interaction .