A new Android trojan named Massiv is targeting mobile banking users in Portugal and Greece, posing as IPTV apps to facilitate device takeover attacks for financial theft.
Malware Capabilities and Techniques
Massiv employs sophisticated techniques, including screen streaming via Android's MediaProjection API, keylogging, SMS interception, and fake overlays over banking apps to capture credentials and credit card details. It can perform full remote-control actions, such as enabling black-screen overlays to conceal activities, muting device sounds, and altering clipboard contents.
The malware also bypasses screen-capture protections using a UI-tree mode that exports visible UI nodes as JSON, allowing attackers to issue interaction commands. It can unlock device patterns, serve overlays for apps or device locks, and request SMS and installation permissions.
Distribution and Impact
Massiv is distributed through dropper apps mimicking IPTV services, often delivered via SMS phishing. Victims are prompted to install an "important" update and allow installations from unknown sources. Notable droppers include IPTV24 and a package named Google Play that implements Massiv.
Campaigns have targeted users in Spain, Portugal, France, and Turkey, with some focusing on government services like gov.pt and the Digital Mobile Key (Chave Móvel Digital) to collect phone numbers and PINs. Captured data has been used for money laundering and unauthorized bank account openings.
According to ThreatFabric, Massiv shows signs of ongoing development and may evolve into a Malware-as-a-Service model, with API keys facilitating backend communication.
