Ethical Hacking News
New Android Trojan Targets Mobile Banking Users: Massiv Emerges as a Significant Threat in the Fight Against Cybercrime
A recent discovery by Dutch mobile security company ThreatFabric reveals details of a new Android Trojan called Massiv designed to facilitate device takeover (DTO) attacks for financial theft. The malware masquerades as IPTV apps and targets users looking for online TV applications, primarily singling out mobile banking users.
Massiv is a new Android Trojan designed to facilitate device takeover (DTO) attacks and enable financial theft, masquerading as IPTV apps.The malware has been observed dating back to 2025 and supports features like screen streaming via MediaProjection API, keylogging, SMS interception, and fake overlays.Massiv can bypass Know Your Customer (KYC) verification by tricking users into entering their phone number and PIN code through a fake overlay.The malware functions as a fully functional remote-control tool, granting operators access to the victim's device stealthily while showing a black screen overlay.Massiv uses UI-tree mode to bypass some protection implementations against screen capture.The malware carries out various malicious actions, including enabling black overlays, sending device information, and installing APK files.Massiv is distributed in the form of dropper apps mimicking IPTV apps via SMS phishing.
The threat landscape for mobile banking users has taken a significant turn for the worse with the emergence of Massiv, a new Android Trojan designed to facilitate device takeover (DTO) attacks and enable financial theft. According to recent reports from Dutch mobile security company ThreatFabric, Massiv masquerades as seemingly harmless IPTV apps to deceive victims, indicating that this activity is primarily singling out users looking for online TV applications.
ThreatFabric discovered the first signs of Massiv in a targeted campaign targeting users in Portugal and Greece earlier this year. However, the malware has been observed dating back to 2025, with smaller test campaigns taking place throughout the year. Like various Android banking malware families, Massiv supports a wide range of features designed to facilitate credential theft through several methods.
These include screen streaming via Android's MediaProjection API, keylogging, SMS interception, and fake overlays served atop banking and financial apps. One such campaign was found targeting gov.pt, a Portuguese public administration app that allows users to store identification documents and manage the Digital Mobile Key (aka Chave Móvel Digital or CMD). The overlay tricks users into entering their phone number and PIN code, likely in an effort to bypass Know Your Customer (KYC) verification.
ThreatFabric stated that cases of scammers using the information captured through these overlays have been identified. They were able to open new banking accounts in the victim's name, allowing them to be used for money laundering or getting loans approved without the actual victim's knowledge.
Massiv also functions as a fully functional remote-control tool. It grants operators access to the victim's device stealthily while showing a black screen overlay to conceal malicious activity. These techniques of abusing Android's accessibility services have been observed in other Android banking malware like Crocodilus, Datzbro, and Klopatra.
To bypass some protection implementations against screen capture, Massiv utilizes what is called UI-tree mode. This involves traversing AccessibilityWindowInfo roots and recursively processing AccessibilityNodeInfo objects to build a JSON representation of visible text and content descriptions, UI elements, screen coordinates, and interaction flags that indicate whether the UI element is clickable, editable, focused, or enabled.
The malware carries out a wide range of malicious actions, including enabling black overlays, muting sounds and vibration, sending device information, performing click and swipe actions, altering clipboard content with specific text, disabling black screens, turning on/off screen streaming, unlocking devices with patterns, serving overlays for apps, device pattern locks, or PINs, downloading ZIP archives with overlays for targeted applications, installing APK files, opening Battery Optimization, Device Admin, and Play Protect settings screens, requesting permissions to access SMS messages, install APK packages, clearing log databases on the device.
Massiv is distributed in the form of dropper apps mimicking IPTV apps via SMS phishing. Once installed and launched, it prompts victims to install an "important" update by granting it permissions to install software from external sources. The names of the malicious artifacts are listed below:
- IPTV24 (hfgx.mqfy.fejku) - Dropper
- Google Play (hobfjp.anrxf.cucm) - Massiv
ThreatFabric pointed out that in most cases observed, it masquerades without actual IPTV applications being infected or initially containing malicious code. Instead, the dropper opens a WebView with an IPTV website in it while actually installing and running the malware on the device.
A notable observation was made by ThreatFabric regarding the majority of Android malware campaigns using TV-related droppers targeting Spain, Portugal, France, and Turkey over the past six months. Massiv is the latest entrant to this crowded threat landscape, reflecting the continued demand for such turnkey solutions among cybercriminals.
ThreatFabric discovered evidence that shows Massiv's operator is moving towards offering it as a Malware-as-a-Service (MaaS). This includes introducing API keys used in malware communication with the backend. Code analysis revealed ongoing development, with more features likely to be introduced in the future.
Given this information, it's clear that the threat posed by Massiv is real and significant. As mobile banking users become increasingly reliant on their devices for financial transactions, it's essential for them to remain vigilant against such threats. Regular security updates and awareness about new malware can help protect users from falling victim to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Massiv-A-New-Android-Trojan-Targets-Mobile-Banking-Users-ehn.shtml
https://thehackernews.com/2026/02/fake-iptv-apps-spread-massiv-android.html
https://abit.ee/en/cybersecurity/viruses-trojans-and-other-malware/massiv-trojan-android-iptv-banking-malware-threatfabric-cybersecurity-phishing-malware-en
Published: Thu Feb 19 08:34:30 2026 by llama3.2 3B Q4_K_M
