Massiv Mobile Malware

Cybersecurity analysts have uncovered a sophisticated Android banking trojan known as Massiv, engineered to execute device takeover (DTO) attacks aimed at financial theft. The malware disguises itself as legitimate IPTV applications, targeting individuals searching for online television services.

Although identified in a limited number of focused campaigns, the threat level is significant. Once installed, Massiv enables attackers to remotely control compromised devices, conduct fraudulent transactions, and directly exploit victims' mobile banking accounts.

The malware was initially detected in campaigns targeting users in Portugal and Greece earlier this year. However, forensic analysis has traced sample variants back to early 2025, suggesting prior smaller-scale testing operations.

Advanced Credential Harvesting and Overlay Manipulation

Massiv incorporates capabilities commonly found in advanced Android banking malware. It facilitates credential theft through multiple techniques, including screen streaming via Android's MediaProjection API, keylogging, SMS interception, and deceptive overlays placed over legitimate banking and financial applications. These overlays prompt users to submit login credentials and credit card information.

A notable campaign specifically targeted gov.pt, a Portuguese government application used to store identification documents and manage the Digital Mobile Key (Chave Móvel Digital or CMD). The malicious overlay impersonated the official interface and requested users' phone numbers and PIN codes, likely to circumvent Know Your Customer (KYC) verification processes.

Investigations also revealed instances where stolen data was leveraged to open new bank accounts in victims' names. These fraudulent accounts were subsequently used for money laundering operations or unauthorized loan applications, all without the victims' awareness.

Remote Control Capabilities and Screen Capture Evasion

Beyond credential theft, Massiv operates as a fully functional remote access tool. It grants attackers covert control of infected devices while displaying a black screen overlay to conceal malicious activity. These techniques exploit Android accessibility services, a tactic also observed in other banking trojans such as Crocodilus, Datzbro, and Klopatra.

Certain financial applications implement screen-capture protection mechanisms. To bypass these defenses, Massiv deploys a technique referred to as 'UI-tree mode.' This method traverses AccessibilityWindowInfo roots and recursively processes AccessibilityNodeInfo objects to reconstruct a detailed representation of the device's visible interface.

The malware generates a structured JSON map containing visible text, content descriptions, UI elements, screen coordinates, and interaction flags that indicate whether elements are clickable, editable, focused, or enabled. Only visible nodes containing text are transmitted to the attacker's command infrastructure, allowing precise remote interaction through issued commands.

Comprehensive Malicious Functionality

Massiv is equipped with a broad operational toolkit enabling extensive device manipulation and persistence. Its capabilities include:

• Activating or disabling a black screen overlay, muting sounds and vibration
• Streaming the device screen and sending device information
• Performing click and swipe gestures remotely
• Modifying clipboard content
• Unlocking the device using pattern authentication
• Deploying overlays for targeted applications or lock screens
• Downloading overlay packages and installing additional APK files
• Opening system settings such as Battery Optimization, Device Administrator, and Play Protect
• Requesting SMS and package installation permissions
• Clearing device log databases

These functions collectively allow attackers to maintain control, evade detection, and execute financial fraud with precision.

Distribution Tactics: IPTV-Themed Droppers

Massiv spreads through SMS phishing campaigns using dropper applications that imitate IPTV services. After installation, the dropper prompts the victim to install an 'important' update and requests permission to install applications from external sources.

Identified malicious artifacts include:

• IPTV24 (hfgx.mqfy.fejku) – Dropper application
• Google Play (hobfjp.anrxf.cucm) – Massiv payload

In most documented cases, legitimate IPTV applications were not compromised. Instead, the dropper merely displayed IPTV-related web content through a WebView, creating the illusion of functionality while the malware executed in the background.

Over the past six months, similar TV-themed dropper campaigns have primarily targeted Spain, Portugal, France, and Turkey.

Indicators of Commercialization and Ongoing Development

Massiv enters an already saturated Android malware ecosystem, underscoring persistent demand for turnkey financial fraud solutions within cybercriminal communities.

Although not yet confirmed as a Malware-as-a-Service offering, analysis indicates movement in that direction. The introduction of API keys for backend communication suggests an effort to standardize operations and potentially enable third-party usage. Code review further reveals active development, signaling that additional features and expanded capabilities may emerge in future iterations.