In a technical analysis published by ThreatFabric researchers disclosed Massiv, an Android trojan that poses as IPTV apps and can remotely control infected devices to steal banking credentials. Samples date to early 2025 and initial campaigns targeted Portugal and Greece.
KEY FACTS
- Incident Massiv is an Android trojan delivered via dropper apps that mimic IPTV services
- Targets Initial campaigns targeted users in Portugal and Greece with samples from early 2025
- Capabilities Screen streaming, keylogging, SMS interception, fake overlays and remote control
- Distribution SMS phishing droppers prompt users to install updates and allow installs from external sources
Delivery used SMS phishing to install dropper applications that open a WebView for an IPTV site while the actual malware runs in the background. The dropper asks victims to grant permission to install packages from external sources and to install a malicious APK.
Massiv abuses Android accessibility services to perform remote actions. It can stream the screen via the MediaProjection API or extract a UI tree from AccessibilityNodeInfo objects to build a JSON representation of visible text and interaction flags for attacker commands.
The trojan serves overlays for banking and other apps including a Portuguese public administration app to capture phone numbers and PIN codes. Captured data has been used to open bank accounts in victims names and enable undisclosed fraudulent transactions.
Operators can enable a black screen overlay to conceal activity while interacting with the device. The malware can also download and install additional APKs, alter the clipboard, unlock pattern locks and request wide permissions including SMS access.
WHY IT MATTERS
Massiv combines proven Android banker techniques with remote control features to enable account takeover and identity misuse. The disclosure notes ongoing development and indicators that the operator may expand distribution in the coming months.