Massiv Android Trojan Exploits Fake IPTV Apps to Target Mobile Banking Users
Cybersecurity experts have recently uncovered a sophisticated Android trojan named Massiv, which is designed to execute device takeover (DTO) attacks aimed at financial theft. This malware disguises itself as legitimate IPTV applications, primarily targeting users seeking online television services.
According to ThreatFabric, a Dutch mobile security firm, Massiv poses a significant risk to mobile banking users by enabling remote control of infected devices. This control allows cybercriminals to perform fraudulent transactions directly from victims’ banking accounts. The malware was first identified in campaigns targeting users in Portugal and Greece earlier this year, with samples dating back to early 2025, indicating ongoing development and testing.
Technical Capabilities of Massiv
Massiv employs a variety of techniques to steal user credentials:
– Screen Streaming: Utilizes Android’s MediaProjection API to capture and stream the device’s screen in real-time.
– Keylogging: Records keystrokes to capture sensitive information such as usernames and passwords.
– SMS Interception: Intercepts incoming SMS messages, potentially capturing one-time passwords (OTPs) used for two-factor authentication.
– Overlay Attacks: Displays fake overlays on top of legitimate banking and financial apps, tricking users into entering their credentials and credit card details.
In one notable instance, Massiv targeted the Portuguese public administration app gov.pt, which allows users to store identification documents and manage the Digital Mobile Key (Chave Móvel Digital or CMD). The malware presented an overlay prompting users to enter their phone number and PIN code, likely to bypass Know Your Customer (KYC) verification processes.
ThreatFabric reported cases where cybercriminals used the information obtained through these overlays to open new banking accounts in victims’ names. These accounts were then exploited for money laundering or securing loans without the victims’ knowledge.
Remote Control and Evasion Techniques
Massiv functions as a fully operational remote-control tool, granting attackers the ability to access victims’ devices stealthily. To conceal their activities, attackers can display a black screen overlay while remotely controlling the device. This method, which abuses Android’s accessibility services, has been observed in other Android banking malware such as Crocodilus, Datzbro, and Klopatra.
To circumvent applications that implement protections against screen capture, Massiv employs a UI-tree mode. This technique involves traversing AccessibilityWindowInfo roots and recursively processing AccessibilityNodeInfo objects to build a JSON representation of visible text, UI elements, screen coordinates, and interaction flags. Only visible nodes with text are exported to the attacker, who can then issue specific commands to interact with the device.
Comprehensive Malicious Actions
Massiv is equipped to perform a wide range of malicious actions, including:
– Enabling a black overlay and muting sounds and vibrations.
– Sending device information to the attacker.
– Performing click and swipe actions.
– Altering clipboard content with specific text.
– Disabling the black screen overlay.
– Toggling screen streaming on or off.
– Unlocking the device using a pattern.
– Serving overlays for apps, device pattern locks, or PINs.
– Downloading ZIP archives containing overlays for targeted applications.
– Downloading and installing APK files.
– Opening Battery Optimization, Device Admin, and Play Protect settings screens.
– Requesting permissions to access SMS messages and install APK packages.
– Clearing log databases on the device.
Distribution Methods
Massiv is distributed through dropper apps that mimic IPTV applications, often delivered via SMS phishing campaigns. Once installed and launched, the dropper prompts the victim to install an important update by granting permissions to install software from external sources. Examples of such malicious artifacts include:
– IPTV24 (hfgx.mqfy.fejku): Dropper application.
– Google Play (hobfjp.anrxf.cucm): Massiv malware.
In most observed cases, the dropper masquerades as an IPTV app by opening a WebView with an IPTV website, while the actual malware is already installed and running on the device.
Over the past six months, the majority of Android malware campaigns using TV-related droppers have targeted users in Spain, Portugal, France, and Turkey.
Emerging Threat Landscape
Massiv represents the latest addition to an already crowded Android threat landscape, reflecting the ongoing demand for turnkey solutions among cybercriminals. While not yet observed being promoted as Malware-as-a-Service (MaaS), Massiv’s operator shows clear signs of moving in this direction by introducing API keys for malware communication with the backend. Code analysis reveals ongoing development, with more features likely to be introduced in the future.
Protective Measures
To safeguard against threats like Massiv, users are advised to:
– Download Apps from Trusted Sources: Only install applications from official app stores and avoid downloading apps from unknown sources.
– Verify App Authenticity: Check app reviews, ratings, and developer information before installation.
– Be Cautious with Permissions: Be wary of apps requesting excessive permissions that are not necessary for their functionality.
– Keep Devices Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
– Use Security Software: Install reputable mobile security software to detect and prevent malware infections.
By remaining vigilant and adopting these protective measures, users can reduce the risk of falling victim to sophisticated malware campaigns like Massiv.
