Massiv: Android banking malware that steals credentials by disguised as IPTV apps and controls your phone by manipulating the screen and interface

A new banking malware for Android, baptized by researchers as Massiv, is using fake IPTV applications as a hook to steal digital identities and access online bank accounts. The operators behind this malware family take advantage of the custom of many users to download APKS out of official stores to camouflage the Trojan as an Internet TV app, and thus convince the victim to install apparently harmless software.

According to the analysis published by the company for fraud detection and surveillance of mobile threats ThirFabric, Massiv is not limited to stealing credentials with basic techniques: it combines screen superpositions and keylogging with two remote control modes that allow attackers to manipulate the device as if they had it physically in their hands. This includes the ability to view the live screen using the Android MediaProjection API and a way to extract the interface structure (visible text, item names, coordinates and interaction attributes) using the system's accessibility service.

The use of the MediaProjection API to transmit the screen and the extraction of an "UI tree" from Access Service makes Massiv a sophisticated threat: the first method allows you to observe exactly what the user sees, while the second allows automated interactions on interface elements, such as pressing buttons or filling out text fields. This latter mode can overcome the protections that many bank and messaging apps activate to prevent screenshots or recordings, because attackers act on the interface structure rather than only image-dependent.

The consequences are serious. In campaigns observed by ThreatFabric, Massiv attacked a Portuguese government application that connects with the Key Digital Movel, the Portuguese system of authentication and digital signature. Information from such an app may allow offenders to avoid customer verification processes (KYC), open bank accounts on behalf of the victim in other entities, request loans or implement money-laundering schemes, leaving financial obligations on the real person who never authorized such transactions.

Researchers also point to a worrying pattern: in recent months the number of IPTV theme APKS used as malware downloads has increased. Since these applications are often involved in copyright violations, they do not appear on Google Play and their users are used to obtaining them from unofficial channels, which reduces suspicion when a side APK (sideload) is requested.

The impact map reported by analysts shows greater activity in Spain, Portugal, France and Turkey, although the technique itself is applicable to any market where users are willing to install apps outside of official stores. In many cases the installer (dropper) impersonates a legitimate IPTV app or even shows a real site within a WebView to maintain the appearance of normal while the malicious payload is installed in the background.

Protecting yourself from threats like Massiv requires combining common sense with technical measures. First of all, avoid downloading applications from unverified sources is the most effective defense: always search for renowned editors and apps in the official store, check reviews and permissions, and distrust installers who ask to activate accessibility services or screen recording permissions without clear justification. Keeping Google Play Protect active and using it to scan the device regularly provides an additional layer of detection; the Google page on Play Protect explains its operation and how to activate it on each Android: Google Play Protect support.

Technically, app developers and financial institutions can also mitigate risk: using strong authentication mechanisms (preferably hardware-backed), limiting the exposure of sensitive data in the interface, detecting abnormal interactions and using anti-automation checks. Advanced users should be familiar with the permissions requested by the apps and be particularly disconfident of requests to activate the accessibility service, which is often abused to control devices. Those who develop or manage services that handle digital identities can consult the official technical documentation on the MediaProjection and AccessibilityService API to understand how these tools are abused: MediaDesign (Android) and AccessibilityService (Android).

If you suspect that your device has been compromised, it is recommended to disconnect immediately from public networks, to revoke relevant credentials (to change passwords and PINS into another safe device), to contact your bank and the competent authorities and, in cases of confirmed infection, to restore the phone to your state of work after backup of the legitimate data. In Portugal, for example, public cybersecurity agencies can provide guidance on incidents related to national digital identity services; Centro Nacional de Cybersegurança is one of the official resources.

Massiv is a reminder that mobile threats evolve by taking advantage of the system's mix of legitimate tools and human behavior: technology that facilitates accessibility and screen recording can also become a vector for fraud if it falls into bad hands. Maintaining safe habits when installing apps, updating the operating system and reviewing financial activity often significantly reduces the risk of being a victim of such attacks.

To deepen the technical report and see examples of how Massiv works and the campaigns observed, you can see the full analysis of ThreatFabric on his blog: Massiv: When your IPTV app ends your savings as well as the media coverage that synthesizes these findings in specialized media.