Massiv: The New Android Trojan Masquerading as IPTV Apps to Steal Your Banking Data

In a shocking revelation from the cybersecurity world, researchers have uncovered a sophisticated new Android trojan dubbed Massiv, designed to facilitate full device takeover (DTO) attacks for financial theft. This malware, which disguises itself as seemingly harmless IPTV apps, is targeting users who are searching for online TV applications, making it a particularly insidious threat.

How Massiv Operates

According to ThreatFabric, a leading Dutch mobile security company, Massiv has been observed in limited but highly targeted campaigns. The malware was first spotted in a campaign targeting users in Portugal and Greece earlier this year, though samples dating back to the start of 2025 suggest it has been in development for some time.

Like other Android banking malware families, Massiv is equipped with a wide range of features to facilitate credential theft. These include:

• Screen streaming through Android’s MediaProjection API
• Keylogging to capture every keystroke
• SMS interception to steal one-time passwords and other sensitive messages
• Fake overlays served atop banking and financial apps, tricking users into entering their credentials and credit card details

One particularly alarming campaign has been found to target gov.pt, a Portuguese public administration app that allows users to store identification documents and manage the Digital Mobile Key (CMD). The overlay tricks users into entering their phone number and PIN code, likely in an effort to bypass Know Your Customer (KYC) verification.

The Threat Beyond Financial Theft

ThreatFabric has identified cases where scammers used the information captured through these overlays to open new banking accounts in the victim’s name. These accounts can then be used for money laundering or getting loans approved without the actual victim’s knowledge, making the threat far more pervasive than just financial theft.

Massiv also serves as a fully functional remote-control tool, granting the operator the ability to access the victim’s device stealthily. This is achieved by abusing Android’s accessibility services, a technique also observed in other Android bankers like Crocodilus, Datzbro, and Klopatra.

Bypassing Security Measures

To bypass security measures implemented by some applications, Massiv uses a technique called UI-tree mode. This involves traversing AccessibilityWindowInfo roots and recursively processing AccessibilityNodeInfo objects to build a JSON representation of visible text and content descriptions. This allows the attacker to determine the next course of action by issuing specific commands to interact with the device.

The Full Arsenal of Massiv

The malware is equipped to carry out a wide range of malicious actions, including:

• Enabling a black overlay to conceal malicious activity
• Muting sounds and vibration to avoid detection
• Sending device information to the attacker
• Performing click and swipe actions
• Altering the clipboard with specific text
• Disabling the black screen
• Turning on/off screen streaming
• Unlocking the device with a pattern
• Serving overlays for targeted applications
• Downloading ZIP archives with overlays
• Downloading and installing APK files
• Opening Battery Optimization, Device Admin, and Play Protect settings screens
• Requesting permissions to access SMS messages, install APK packages, and more
• Clearing log databases on the device

Distribution and Targeting

Massiv is distributed in the form of dropper apps mimicking IPTV apps via SMS phishing. Once installed and launched, the dropper prompts the victim to install an “important” update by granting it permissions to install software from external sources. The names of the malicious artifacts are:

• IPTV24 (hfgx.mqfy.fejku) – Dropper
• Google Play (hobfjp.anrxf.cucm) – Massiv

In most cases, the dropper that mimics an IPTV app opens a WebView with an IPTV website in it, while the actual malware is already installed and running on the device. The majority of Android malware campaigns using TV-related droppers have targeted Spain, Portugal, France, and Turkey over the past six months.

The Future of Massiv

Massiv is the latest entrant to an already crowded Android threat landscape, reflecting the continuing demand for such turnkey solutions among cybercriminals. While not yet observed being promoted as Malware-as-a-Service, Massiv’s operator shows clear signs of going this path, introducing API keys to be used in malware communication with the backend. Code analysis revealed ongoing development, with more features likely to be introduced in the future.

Tags: Android Trojan, Massiv, IPTV Apps, Device Takeover, Financial Theft, Cybersecurity, ThreatFabric, Gov.pt, Digital Mobile Key, CMD, KYC Verification, Malware-as-a-Service, SMS Phishing, Accessibility Services, UI-tree Mode, JSON Representation, Remote Control Tool, Money Laundering, Loans, Black Overlay, Screen Streaming, Keylogging, SMS Interception, Fake Overlays, Banking Apps, Financial Apps, Malicious Actions, Dropper Apps, WebView, IPTV Website, Spain, Portugal, France, Turkey, Turnkey Solutions, Cybercriminals, API Keys, Backend Communication, Ongoing Development, New Features.

Viral Sentences:

• “Massiv: The New Android Trojan Masquerading as IPTV Apps to Steal Your Banking Data”
• “How Massiv Operates: A Deep Dive into the Malware’s Capabilities”
• “The Threat Beyond Financial Theft: Opening New Banking Accounts in Victims’ Names”
• “Bypassing Security Measures: Massiv’s UI-tree Mode Explained”
• “The Full Arsenal of Massiv: 15+ Malicious Actions”
• “Distribution and Targeting: How Massiv Spreads via SMS Phishing”
• “The Future of Massiv: Signs of Malware-as-a-Service Development”

,