A new strain of Android banking malware, dubbed Massiv by researchers, is masquerading as an IPTV application with the intent to pilfer digital identities and infiltrate online banking accounts. This sophisticated malware employs screen overlays and keylogging techniques to capture sensitive information and can even seize remote control of a compromised device.
In a recent campaign highlighted by ThreatFabric, a company specializing in fraud detection and mobile threat intelligence, Massiv has been observed targeting a Portuguese government application linked to Chave Móvel Digital, Portugal’s digital authentication and signature system. This connection is particularly concerning as it contains user data that could facilitate the evasion of know-your-customer (KYC) verifications, granting access to banking accounts and various public and private online services.
Source: ThreatFabric
The ThreatFabric report elaborates on the implications of this malware: “MTI research identified cases where new accounts were opened in the name of the victim (user of the infected device) in new banks and services (not used by the victim).” The report continues, “Since those accounts are fully under fraudster control, they can further use them as a part of money laundering schemes as well as getting loans and cashing out the money, leaving the unsuspecting victim in debts in the bank they never opened an account themselves.”
Massiv offers its operators two distinct modes of remote control: a screen live-streaming mode that utilizes Android’s MediaProjection API, and a UI-tree mode that extracts structured data from the Accessibility Service. The latter mode is particularly insidious, as it captures visible text, interface element names, screen coordinates, and interaction attributes, enabling attackers to manipulate the device by clicking buttons and editing text fields. This capability is especially advantageous for circumventing screen-capture protections commonly employed by banking and communication applications that handle sensitive content.
IPTV lures on the rise
An intriguing trend unearthed by ThreatFabric in the wake of Massiv’s emergence is the growing use of IPTV applications as bait for Android malware infections. This tactic has seen a notable uptick over the past eight months.
Source: ThreatFabric
These IPTV apps often play a pivotal role in copyright infringement, rendering them unavailable on Google Play due to policy violations. Users, accustomed to sideloading applications from unofficial channels, often consider this practice normal. In many instances, the IPTV app is a façade that does not provide access to pirated broadcasts; instead, the APK serves as a dropper that installs the malware payload. Occasionally, the app may even display a legitimate IPTV website within a WebView to maintain the illusion of authenticity.
Source: ThreatFabric
Researchers have noted that these fake IPTV-masking malware droppers predominantly target users in Spain, Portugal, France, and Turkey. To safeguard against such threats, Android users are strongly advised to download only vetted applications from reputable publishers available on official channels like Google Play, keep Play Protect activated, and conduct regular scans of their devices.
