No products in the cart.

Home News Massiv Android Banking Trojan Disguised as IPTV App Hijacks Accounts and Steals Digital IDs

News

Massiv Android Banking Trojan Disguised as IPTV App Hijacks Accounts and Steals Digital IDs

scsecFebruary 22, 20262 Mins read7 Views

A newly discovered Android banking trojan dubbed Massiv is disguising itself as an IPTV application to steal digital identities and gain access to victims’ online banking accounts.

Researchers at ThreatFabric observed the malware targeting users through fake IPTV apps distributed outside official app stores. Once installed, Massiv uses screen overlays and keylogging to capture sensitive information, while also offering attackers full remote control over infected devices.

In the campaign analyzed by ThreatFabric, Massiv specifically targeted a Portuguese government application integrated with Chave Móvel Digital, Portugal’s digital authentication and electronic signature system. By compromising this service, attackers could obtain identity data capable of bypassing know-your-customer (KYC) checks and accessing banking platforms and other public or private online services.

Researchers documented cases in which fraudsters used stolen data to open new bank accounts in victims’ names. These accounts, fully controlled by the attackers, were then used for money laundering, taking out loans, and cashing out funds—leaving unsuspecting victims burdened with debts for accounts they never created.

Massiv provides two remote control modes to its operators. The first leverages Android’s MediaProjection API to livestream the device screen in real time. The second, more advanced method uses abused Accessibility Services to extract structured UI data, including visible text, interface element names, screen coordinates, and interaction attributes. This “UI-tree” mode enables attackers to simulate taps, input text, and navigate apps directly.

The Accessibility-based approach is particularly dangerous because it can bypass screen-capture protections commonly deployed by banking and messaging apps. By interacting with the interface at a structural level, attackers can evade traditional screenshot-blocking defenses.

ThreatFabric also identified a growing trend in the use of IPTV-themed apps as malware lures over the past eight months. Because IPTV applications often facilitate access to pirated content, they are not available on official platforms like Google Play. Users seeking such services are therefore accustomed to downloading APK files from unofficial sources, making them more susceptible to malicious droppers.

In most observed cases, the IPTV app is entirely fake and serves solely as a dropper to install the Massiv payload. In some instances, the app loads a legitimate IPTV website within a WebView to appear authentic while silently deploying malware in the background.

The researchers found that IPTV-themed malware droppers have primarily targeted users in Spain, Portugal, France, and Turkey.

The emergence of Massiv highlights both the continued evolution of Android banking malware and the increasing exploitation of sideloaded applications as infection vectors. By combining social engineering, advanced remote control capabilities, and abuse of Android’s accessibility framework, attackers are creating highly effective tools for financial fraud and identity theft.

Previous post DNS-Powered ClickFix Attack Uses nslookup to Deliver Stealthy PowerShell Malware

Next post Fake Crypto Recruiters Infect Developers with RAT-Laced Coding Challenges in Lazarus-Linked Campaign

1 Comment

scsec says:

February 22, 2026 at 08:01

This campaign highlights how attackers are increasingly exploiting sideloaded apps to distribute advanced banking malware. Disguising Massiv as an IPTV app is a clever tactic, especially since users downloading such apps are already accustomed to installing APKs from unofficial sources. Strengthening user awareness and restricting Accessibility permissions to trusted apps are critical steps in reducing the risk of these sophisticated mobile banking threats.

Reply