Cybersecurity experts have identified a new Android banking trojan called Massiv, designed to conduct device takeover (DTO) attacks for financial theft. The malware hides inside seemingly legitimate IPTV apps, luring users who are searching for online TV services and giving attackers remote control over infected devices.
How Massiv Operates
According to ThreatFabric, Massiv first appeared in campaigns targeting users in Portugal and Greece earlier this year, though samples trace back to early 2025 in smaller tests. Once installed, it can execute a variety of malicious actions including:
- Remote device control with black screen overlay
- Credential theft via fake overlays on banking and financial apps
- Keylogging and SMS interception
- Screen streaming using Android’s MediaProjection API
The malware can deceive users into entering sensitive information such as PINs, passwords, and credit card details, particularly targeting apps like Portugal’s gov.pt digital administration app, which manages identity documents and the Digital Mobile Key (Chave Móvel Digital).
Advanced Accessibility Abuse
To bypass screen capture protections implemented in some apps, Massiv leverages Android’s accessibility services in a UI-tree mode. This allows it to traverse visible UI elements, capture text, screen coordinates, interaction states, and then build a JSON representation for attackers to issue commands.
Through this technique, operators can interact with the device stealthily while users see a black overlay concealing malicious activity. The malware supports a wide range of functions including:
- Enable black overlay, mute sounds and vibration
- Send device information
- Simulate clicks and swipes
- Modify clipboard text
- Unlock device with pattern or PIN
- Serve overlays for targeted apps or device lock screens
- Download and install APKs or ZIP archives containing overlays
- Access system settings such as Battery Optimization, Device Admin, and Play Protect
- Request SMS and installation permissions
- Clear device logs
Distribution Method
Massiv is spread via dropper apps that mimic IPTV applications, often distributed through SMS phishing campaigns. Once the dropper is installed, it prompts users to grant permissions to install software from external sources, thereby activating the malware. Common artifacts include:
- IPTV24 (hfgx.mqfy.fejku) – Dropper
- Google Play (hobfjp.anrxf.cucm) – Massiv payload
ThreatFabric noted that most IPTV apps themselves are harmless; the malware operates separately while displaying a legitimate WebView of an IPTV website to avoid suspicion.
Geographic Spread and Threat Outlook
Recent campaigns have primarily targeted users in Spain, Portugal, France, and Turkey. Massiv reflects the increasing demand for turnkey Android malware solutions capable of automated financial theft. While not yet marketed as Malware-as-a-Service, the operators are developing API keys for backend communications, signaling ongoing feature expansion.
This evolving threat highlights the continued risk posed by fake apps distributed through phishing, emphasizing the need for vigilance in mobile banking security and careful scrutiny of app sources.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
