OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight

MITRE Techniques

• [T1660 ] Phishing – OverlayPhantom is distributed through phishing sites and malicious URLs that impersonate trusted applications (‘distributed via phishing sites’ / ‘impersonates the official Austrian government identity application’).
• [T1624.001 ] Event Triggered Execution: Broadcast Receivers – The malware implemented a broadcast receiver to support screen capturing (‘implemented a broadcast receiver for screen capturing’).
• [T1628.001 ] Hide Artifacts: Suppress Application Icon – OverlayPhantom hides its app icon to make removal and detection harder (‘OverlayPhantom hides its icon’).
• [T1406 ] Obfuscated Files or Information – The malware uses obfuscated strings to hinder analysis (‘Malware uses obfuscated strings’).
• [T1655.001 ] Masquerading: Match Legitimate Name or Location – It disguises itself as legitimate Google Play components to mislead victims (‘masquerades as Google Play Service’).
• [T1453 ] Abuse Accessibility Features – OverlayPhantom abuses Android Accessibility Service to gain elevated control and monitor user activity (‘abuses Accessibility service’).
• [T1418 ] Software Discovery – The malware checks installed applications against a hardcoded target list to decide when to display phishing overlays (‘checks the installed application list against the target list’).
• [T1513 ] Screen Capture – OverlayPhantom captures the victim’s screen for real-time streaming (‘captures screen content’).
• [T1437 ] Application Layer Protocol – The malware communicates with its C2 using TCP-based connections (‘communicates with C2 over TCP’).
• [T1509 ] Non-Standard Port – It uses dedicated non-standard ports 9090, 9091, and 9092 for C2 functions (‘uses a non-standard port’).
• [T1646 ] Exfiltration Over C2 Channel – Stolen credentials and other data are exfiltrated to the C&C server (‘exfiltrates data to the C&C server’).