Massiv Android Trojan Spreads via Fake IPTV Apps

A banking trojan dubbed Massiv is spreading through fake IPTV streaming applications, targeting mobile banking users primarily in Portugal and Greece with device takeover capabilities and credential-harvesting overlays.

The malware arrives via SMS phishing campaigns promoting dropper applications that masquerade as legitimate streaming services, according to research published by The Hacker News.

Two-Stage Infection

Massiv uses a dropper-plus-payload architecture. Victims first install an app called IPTV24, which then prompts them to install an "important update" that requires enabling installation from external sources. This second package—ironically named "Google Play"—contains the actual trojan.

The approach exploits user trust in familiar branding. An update prompt from what appears to be a streaming service feels routine. Granting permission to install from unknown sources feels like a minor inconvenience. By the time the malicious payload installs, victims have already normalized the unusual behavior.

What Massiv Can Do

Once installed, Massiv provides attackers with extensive device control:

• Screen streaming via Android's MediaProjection API
• Keystroke logging capturing everything typed
• SMS interception for two-factor authentication bypass
• Overlay attacks displaying fake login screens over legitimate banking apps
• UI-tree traversal to bypass screen capture protections
• Black screen concealment hiding malicious activity during remote sessions

The overlay capability targets banking applications specifically. When a victim opens their banking app, Massiv displays a pixel-perfect fake login screen that captures credentials before passing the user through to the real application. The experience feels seamless—most victims never realize their credentials were harvested.

Primary Targets

Researchers observed particular focus on gov.pt, the Portuguese public administration app. Massiv deploys overlays that capture phone numbers and PIN codes, providing attackers with information needed to bypass Know Your Customer verification processes.

Beyond Portugal, the campaign targets users in Greece, with broader campaigns observed against Spain, France, and Turkey using TV-related dropper themes.

The Android Security Gap

Massiv joins a growing roster of Android banking trojans exploiting accessibility services for device control. We've covered similar techniques in PromptSpy and other Android malware families that abuse accessibility permissions to achieve persistence and extract sensitive data.

The pattern repeats because it works. Android's accessibility services provide legitimate assistive technology capabilities that malware operators repurpose for credential theft and device takeover. Google has attempted to restrict accessibility service abuse, but determined attackers continue finding ways to convince users to grant the necessary permissions.

Indicators of Compromise

Security teams should block the following package identifiers:

• IPTV24 Dropper: hfgx.mqfy.fejku
• Massiv Payload: hobfjp.anrxf.cucm

Users who have installed apps matching these identifiers should immediately uninstall them, change banking credentials from a clean device, and monitor accounts for unauthorized transactions.

Defensive Guidance

For individual users, familiar advice applies:

1. Avoid sideloading apps - install only from Google Play or verified sources
2. Scrutinize update prompts - legitimate apps update through the Play Store
3. Enable Google Play Protect - it provides baseline scanning for known threats
4. Review accessibility permissions - revoke access for apps that don't need it
5. Use banking app notifications - real-time alerts surface unauthorized access faster

For organizations with mobile workforces, mobile device management solutions that enforce installation policies and monitor for suspicious accessibility service grants provide additional protection.

The IPTV Angle

Streaming piracy creates perfect conditions for malware distribution. Users seeking free access to paid content accept sketchy app sources as the cost of doing business. They're primed to grant unusual permissions and ignore security warnings because that's normal in the piracy ecosystem.

Massiv's operators understood this dynamic. By packaging their dropper as an IPTV application, they preselected for victims willing to install from untrusted sources. The overlap between streaming piracy users and people who might click SMS links offering "free TV" creates an efficient targeting mechanism.

Why This Matters

Banking trojans aren't new, but Massiv's combination of device takeover capabilities and overlay precision makes it particularly dangerous. The ability to hide malicious activity behind a black screen while streaming victim interactions means attackers can respond in real-time to authentication challenges.

For readers tracking mobile threats, the ZeroDayRAT analysis provides additional context on Android surveillance malware capabilities. Both families demonstrate how accessibility service abuse enables deep device compromise that basic security measures struggle to prevent.

The streaming piracy distribution channel will likely see continued exploitation. Users who've grown comfortable with unofficial app sources represent persistently vulnerable targets for banking fraud operations.