Massiv, a new Android banking Trojan, is exploiting IPTV apps to execute fraudulent transactions across Europe. Discovered by the Mobile Threat Intelligence team, Massiv uses side-loading to infiltrate devices and target banking accounts.
Technical Capabilities and Methods
Massiv employs overlay attacks, keylogging, and SMS/push interception to steal sensitive data. It displays fake overlays mimicking legitimate interfaces to capture login credentials and authentication codes. A notable campaign targeted Portugal's gov.pt and the Chave Móvel Digital service, potentially bypassing KYC protocols.
The malware's remote access is facilitated by a FuncVNC component using Android's AccessibilityService. It operates through WebSocket channels, offering two remote-control modes: screen streaming via the MediaProjection API and a UI-tree mode that maps interactive UI elements. This allows operators to automate interactions even when screen capture is blocked.
Distribution and Impact
Massiv is distributed by masquerading as IPTV applications, a method increasingly popular in Spain, Portugal, France, and Turkey over the past 6–8 months. The Trojan opens a WebView with an IPTV site while running in the background, exploiting the common practice of side-loading IPTV apps.
Financial institutions are advised to monitor this evolving threat, as Massiv's targeted campaigns can evade broad detection yet cause significant financial damage. The malware's ongoing development and use of API keys suggest it could evolve into a Malware-as-a-Service, increasing its potential impact.
