Cybersecurity researchers have unveiled a new Android trojan named Massiv, specifically engineered to execute device takeover (DTO) attacks aimed at financial theft. This malware cleverly disguises itself as innocuous IPTV applications, targeting users who are in search of online television services.
According to ThreatFabric, a Dutch mobile security firm, this emerging threat, although currently observed in a limited number of targeted campaigns, poses significant risks to mobile banking users. The malware enables its operators to gain remote control over infected devices, facilitating fraudulent transactions directly from the victim’s banking accounts. In a report shared with The Hacker News, ThreatFabric highlighted the malware’s first detection in campaigns targeting users in Portugal and Greece earlier this year, with samples traced back to early 2025 as part of smaller test initiatives.
Features and Functionality
Massiv shares common traits with various Android banking malware families, offering an extensive array of features designed to facilitate credential theft through multiple methods. These include:
- Screen streaming via Android’s MediaProjection API
- Keylogging
- SMS interception
- Fake overlays positioned above banking and financial applications
These overlays prompt users to input their credentials and credit card information. One notable campaign has been identified targeting the gov.pt application, a Portuguese public administration tool that allows users to manage identification documents and the Digital Mobile Key (Chave Móvel Digital or CMD). The overlay deceives users into entering their phone number and PIN code, likely aiming to circumvent Know Your Customer (KYC) verification processes.
ThreatFabric reported instances where scammers utilized the information obtained from these overlays to open new banking accounts under the victims’ names, potentially facilitating money laundering or securing loans without the victims’ awareness.
In addition to its credential theft capabilities, Massiv functions as a fully operational remote-control tool. It allows operators to access the victim’s device discreetly while displaying a black screen overlay to mask the malicious activities. Such techniques, which exploit Android’s accessibility services, have also been seen in other Android banking malware like Crocodilus, Datzbro, and Klopatra.
To navigate around applications that implement screen capture protections, Massiv employs a method known as UI-tree mode. This technique involves traversing AccessibilityWindowInfo roots and recursively processing AccessibilityNodeInfo objects to construct a JSON representation of visible text, content descriptions, UI elements, screen coordinates, and interaction flags. Only nodes that are visible and contain text are exported to the attacker, who can then determine the next steps by issuing specific commands to interact with the device.
Malicious Actions
The malware is capable of executing a diverse range of malicious actions, including:
- Enabling black overlays, muting sounds, and disabling vibrations
- Sending device information
- Performing click and swipe actions
- Altering the clipboard with specific text
- Disabling the black screen
- Controlling screen streaming
- Unlocking the device using a pattern
- Serving overlays for applications, device pattern locks, or PINs
- Downloading ZIP archives containing overlays for targeted applications
- Downloading and installing APK files
- Accessing Battery Optimization, Device Admin, and Play Protect settings screens
- Requesting permissions to access SMS messages and install APK packages
- Clearing log databases on the device
Massiv is distributed through dropper applications that mimic IPTV services, often delivered via SMS phishing. Upon installation and launch, the dropper prompts victims to install an “important” update, requesting permissions to install software from external sources. The names of the malicious components include:
- IPTV24 (hfgx.mqfy.fejku) – Dropper
- Google Play (hobfjp.anrxf.cucm) – Massiv
ThreatFabric noted that in most observed cases, the malware merely masquerades as legitimate applications. Typically, the dropper that imitates an IPTV app opens a WebView containing an IPTV website, while the actual malware operates in the background, already installed and active on the device.
Over the past six months, the majority of Android malware campaigns utilizing TV-related droppers have focused on regions including Spain, Portugal, France, and Turkey. Massiv represents the latest addition to an increasingly crowded Android threat landscape, underscoring the persistent demand for such turnkey solutions among cybercriminals.
While not yet marketed as Malware-as-a-Service, the operators behind Massiv exhibit clear intentions of moving in that direction, having introduced API keys for communication with the backend. Code analysis indicates ongoing development, suggesting that additional features may be on the horizon.
