Massiv Android Banking Trojan Disguised as IPTV Apps Enables Full Device Takeover for Financial Fraud
ThreatFabric has disclosed a new Android banking trojan called Massiv that masquerades as IPTV streaming apps to gain access to victims' devices, enabling full remote control and financial fraud through device takeover attacks.
Although currently observed in a limited number of targeted campaigns, the malware already poses significant risk — its operators can remotely control infected devices, steal banking credentials, and perform fraudulent transactions directly from victims' accounts.
Fake IPTV Apps as the Entry Point
Massiv is distributed via SMS phishing using dropper apps that mimic legitimate IPTV applications. Once installed, the dropper prompts the victim to install an "important update" by granting permission to install software from external sources. The dropper opens a WebView displaying a real IPTV website while the actual malware installs silently in the background.
Known malicious artifacts include:
- IPTV24 (
hfgx.mqfy.fejku) — dropper - Google Play (
hobfjp.anrxf.cucm) — Massiv payload
The majority of campaigns using TV-related droppers have targeted Spain, Portugal, France, and Turkey over the past six months.
Full Device Takeover Capabilities
Massiv supports an extensive feature set built around Android's accessibility services to achieve complete device control:
Credential theft — serves fake overlay screens atop banking and financial apps to capture login credentials and credit card details. One campaign specifically targeted gov.pt, Portugal's public administration app, tricking users into entering phone numbers and PIN codes to bypass Know Your Customer (KYC) verification.
Screen streaming — uses Android's MediaProjection API for real-time device monitoring. When apps implement screen capture protection, Massiv bypasses it using a UI-tree traversal mode that recursively processes accessibility node objects to build a JSON representation of visible screen content.
Stealth remote control — displays a black screen overlay while operators interact with the device, concealing malicious activity. Can mute sounds and vibration, unlock the device with pattern input, and perform click and swipe actions.
Additional capabilities include keylogging, SMS interception, clipboard manipulation, APK download and installation, and the ability to clear device log databases to destroy forensic evidence.
Beyond Credential Theft — Fraudulent Account Creation
ThreatFabric identified cases where operators used credentials captured through overlay attacks to open new banking accounts in victims' names — enabling money laundering and fraudulent loan approvals without the victim's knowledge. This elevates Massiv beyond typical credential-stealing malware into a tool for full identity abuse.
Signs of MaaS Evolution
While not yet promoted as Malware-as-a-Service, Massiv's architecture shows clear signs of heading in that direction. Code analysis revealed API keys used in malware-to-backend communication, suggesting the operator is building infrastructure to support multiple affiliates. Active development is ongoing, with additional features expected in future versions.
ThreatFabric notes similarities in device takeover techniques with other Android banking trojans including Crocodilus, Datzbro, and Klopatra — all of which abuse accessibility services for remote control and overlay attacks.
Defender Recommendations
- Block sideloading — enforce policies preventing installation from unknown sources, particularly on managed devices
- Monitor for accessibility service abuse — flag apps requesting accessibility permissions that are not from trusted sources
- Educate users on IPTV app risks — warn that unofficial streaming apps distributed via SMS are a common malware vector
- Detect overlay activity — banking apps should implement overlay detection and flag credential entry during suspicious UI states
- Watch for dropper patterns — apps that immediately prompt for update installation after first launch are a strong indicator of dropper behavior
