Massiv the Android Trojan who steals money hidden after IPTV apps

Cybersecurity researchers have detected a new Android Trojan that targets financial operations through remote device control. Known as Massiv, this malicious software is disguised as IPTV applications to gain the confidence of those looking to watch online television and ends up running a series of techniques aimed at emptying accounts or supplanting identities.

Massiv does not just steal credentials in a traditional way: combines screen capture, key recording and overlapping of false interfaces to fool the user and capture sensitive data, including card numbers and PIN. For screen transmission take advantage of the Android MediaProjection API, a legitimate functionality designed to share the screen but that in wrong hands facilitates visual theft of what appears on the device ( official documentation of MediaProjection).

When a legitimate app tries to prevent catches, Massiv uses a quieter method: it uses accessibility services to read the structure of the user interface. By going through the window trees and accessibility nodes, malware builds a JSON representation of visible content - texts, descriptions, positions and what elements are interactive - and sends that information to the attacker, which can thus decide which actions to automate.

This ability to "see" and manipulate the screen is complemented by black screens that hide the malicious activity of the user, the possibility of silencing the device, simulating touches and slides, altering the clipboard and even unlocking the phone if you know or get the pattern. In addition, you can download specific overlaps for bank or identity applications and run package facilities without being easily perceived by the victim.

A worrying example identified by analysts is the use of these overlaps to attack public administration applications. In Portugal, campaigns have been observed that attempt to deceive users of the official app gov.pt associated with the management of Key Digital Movel, to order the phone number and the PIN and thus avoid verification controls. With this data, the criminals have managed to open bank accounts in the name of the victims and use them as vehicles to whiten money or claim credit.

The distribution of Massiv is usually done through "droppers": applications that appear to be IPTV players or services and that come by SMS messages with phishing links. When opened, the application shows a legitimate page within a WebView while, in the background, the malicious component that requests permission to install applications from unknown sources and to access SMS and other critical functions has already been installed.

The pattern is not new, but it is disturbing for its sophistication.. The abuse of accessibility services to automate fraud and overlap technique have been used by bank malware families on Android for years. Massiv adds to this repertoire a modular set of remote commands and the ability to download packages with templates to target specific applications, suggesting that its authors are professionalizing the tool.

The technical reports that have described this Trojan point to targeted campaigns in countries such as Spain, Portugal, France and Turkey. In addition, the signs in the code - for example, the introduction of API keys for communication with the server - suggest that its operators could end up offering it as a service for other cybercriminals, a model known as Malware- as- a- Service.

For users, there are practical measures that reduce risk: avoid installing applications from links received by SMS, always check that an app comes from official stores, keep the operating system and apps up-to-date and review the permissions that request an application. Activate automatic protections like Google Play Protect and distrust requests that ask for high permissions for "important updates" when the source is not verifiable ( information about Play Protect).

If you have a bank app, make sure you use the bank's official channels and activate multiple factor authentication when available. In the light of the suspicion of a fraud or if you notice foreign transactions, contact your financial institution immediately and consider the option of restoring devices committed to factory settings after keeping copies of what is necessary.

The appearance of Massiv recalls that the mobile ecosystem remains a lucrative goal and that tactics evolve rapidly. For those who want to deepen technical analysis and detection, the researchers who documented this campaign have published a detailed report with indicators and observations ( report by ThreatFabric), and the specialized media have replicated and contextualized their findings ( The Hacker News).

The lesson It is clear: applications that mimic popular services, such as TV players, are a regular way to introduce threats. Caution and good practice when installing software remain the first line of defense against increasingly automatic and powerful tools designed to take over our phones and, with them, our money and our identity.