Security researchers at ThreatFabric have identified a new Android banking trojan named Massiv, disguised as a fake IPTV app. This malicious software primarily targets users in Portugal, exploiting screen overlays and keylogging techniques to steal sensitive information.
Trojan Functionality and Targets
Massiv focuses on two significant applications: a government app and the Chave Móvel Digital digital authentication system. The malware operates in two distinct modes. In one mode, it live-streams the victim's device activity. In the other, it uses the Accessibility Service to extract structured data, such as visible text, interface element names, screen coordinates, and interaction attributes. This Accessibility-mode allows the trojan to bypass screen-capture protections typically employed by banking and communications apps.
Consequences and Warnings
Attackers leverage the stolen data to open bank accounts in victims' names, launder money, obtain loans, and cash out, leaving the victims burdened with debts. ThreatFabric warns that IPTV apps are increasingly being used as lures for Android malware, as they are often distributed outside the Google Play Store. Many of these IPTV packages are fraudulent and do not provide actual broadcast services.