How do I spot a fake banking app overlay or screen-reading malware?
Banking trojans display a fake login overlay on top of your real banking app to steal credentials — keep your device updated, only install apps from official stores, and use your bank's official app rather than browser login where possible.
Last reviewed: 10 June 2026
Explanation
Mobile banking malware (banking trojans) works differently from web phishing. Rather than directing you to a fake site, it installs an application on your Android device that monitors which apps you open. When you open your banking app, it displays an identical-looking fake overlay on top of the real app. You type your credentials into the overlay — thinking it is the real app — and they are transmitted to the fraudster.
Some banking malware also captures one-time passcodes by reading SMS messages. Combined with stolen credentials, this gives the attacker everything they need to log in to your bank account and approve transfers.
Android devices are primarily affected because they allow app installation from outside the official Play Store. iOS is significantly more restricted. Infection typically comes from malicious APK files shared through social media, WhatsApp messages, or through fake QR codes linking to file downloads disguised as security updates.
The overlay is designed to be visually perfect, so visible detection is difficult. Behavioural tells include the keyboard appearing before you have tapped a text field, slight delays before the overlay appears, or the overlay appearing even when you have no internet connection (it is stored locally and displays offline). Keeping your operating system and banking app updated, using Google Play Protect, and never installing APK files from outside the Play Store are the main defences.
Common red flags
- Banking app appears to reload or refresh before showing the login screen
- Keyboard appears without you tapping a field
- You installed an app from outside the official Play Store recently
- Received a WhatsApp or SMS link to a security update APK
- Your bank notified you of a login from an unfamiliar device
What to do now
- Do not enter your credentials if the app behaviour feels unusual
- Run a malware scan using Google Play Protect (Settings > Security > Play Protect)
- Remove any recently installed apps from outside the Play Store
- Contact your bank immediately if you believe credentials were captured
- Perform a factory reset if malware is confirmed, and then change all banking passwords
Frequently asked questions
Is iPhone less vulnerable to banking trojans?
iOS's strict app installation controls make banking trojans much rarer on iPhones. The attack surface is primarily Android devices that install APK files from outside the Play Store.
How do I check if an app is from the official Play Store?
Go to Settings > Apps > [App Name] > Advanced > App details. If the source is listed as Play Store, it is official. Any other source means it was sideloaded.
Does my bank's app have any protection against overlays?
Many major banking apps include overlay detection that blocks the app from loading if another app is drawing on top of it. Keep your banking app updated to benefit from the latest protections.