Cybersecurity researchers have identified a new Android banking trojan named Massiv that is being distributed through fake IPTV applications and is capable of enabling full device takeover attacks for financial theft. The malware was detailed in a report by ThreatFabric, which said the campaigns observed so far are limited but highly targeted. According to the researchers, the operators behind Massiv are focusing on users searching for online TV applications, using deceptive IPTV themed apps as a lure to infect devices and ultimately gain control over victims’ mobile banking activities.
ThreatFabric explained that Massiv supports a broad set of capabilities typically associated with advanced Android banking malware. These include screen streaming through Android MediaProjection API, keylogging, SMS interception, and the deployment of fake overlay screens placed on top of legitimate banking and financial applications. The overlays prompt victims to enter login credentials and credit card details, which are then transmitted to attackers. In one campaign, the malware was found targeting gov.pt, a Portuguese public administration application used to store identification documents and manage Chave Móvel Digital. The overlay impersonated official interfaces and requested phone numbers and PIN codes, likely to bypass Know Your Customer verification processes. Researchers said that in some instances, data harvested through these overlays was used to open new bank accounts in victims’ names for purposes such as money laundering or loan approvals without their knowledge.
Beyond credential harvesting, Massiv also functions as a sophisticated remote control tool. Once active, it allows operators to silently access and manipulate infected devices while displaying a black screen overlay to conceal malicious actions from the user. This functionality is achieved through abuse of Android accessibility services, a technique also seen in other banking malware families such as Crocodilus, Datzbro, and Klopatra. To bypass applications that block screen capture, Massiv employs a UI tree mode that traverses AccessibilityWindowInfo roots and processes AccessibilityNodeInfo objects. This enables the malware to construct a structured representation of visible text, user interface elements, screen coordinates, and interaction states, which are then exported to the attacker. Using this information, operators can issue commands to click, swipe, unlock the device with a pattern, manipulate the clipboard, download additional malicious packages, request sensitive permissions, and clear device logs.
Massiv is distributed via SMS phishing campaigns that direct victims to install dropper applications masquerading as IPTV services. Once launched, the dropper prompts users to grant permission to install software from unknown sources under the pretext of applying an important update. The identified droppers include IPTV24 and a fake Google Play application, after which the Massiv payload is installed and executed. In many cases, the IPTV app itself simply opens a WebView displaying an IPTV website, while the malware operates in the background. Over the past six months, similar TV themed droppers have primarily targeted users in Spain, Portugal, France, and Turkey. Although Massiv has not yet been observed as a formal Malware as a Service offering, researchers noted evidence of API key based backend communication and ongoing development, indicating a structured operation within an increasingly crowded Android threat landscape.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
