Full Report
Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that's designed to facilitate device takeover (DTO) attacks for financial theft. The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity is primarily singling out users looking for the online TV applications. "This new threat, while
Analysis Summary
# Tool/Technique: Massiv Android Trojan
## Overview
Massiv is a sophisticated Android banking trojan designed to facilitate Device Takeover (DTO) attacks and financial theft. It primarily masquerades as IPTV applications to trick users into installation. Once active, it allows remote operators to control the device, steal credentials, and perform fraudulent transactions directly from the victim's banking applications.
## Technical Details
- **Type:** Malware Family (Banking Trojan/Remote Access Trojan)
- **Platform:** Android
- **Capabilities:** Screen streaming, keylogging, SMS interception, credential theft via overlays, and remote device control (DTO).
- **First Seen:** Reported February 2026.
## MITRE ATT&CK Mapping
- **[TA0031 - Initial Access]**
- **[T1475 - Deliver Malicious App via Phishing]**: Distributed via SMS phishing (smishing).
- **[TA0030 - Persistence]**
- **[T1624.001 - Event Triggered Execution: Accessibility Service]**: Abuses Accessibility Services to maintain control and perform actions.
- **[TA0035 - Collection]**
- **[T1417.001 - Input Capture: Keylogging]**: Captures user keystrokes.
- **[T1513 - Screen Capture]**: Uses MediaProjection API and UI-tree traversal for screen monitoring.
- **[TA0037 - Command and Control]**
- **[T1437.001 - Standard Application Layer Protocol: Web Protocols]**: Communicates with C2 for commands and overlay delivery.
- **[TA0039 - Exfiltration]**
- **[T1646 - Exfiltration Over C2 Channel]**: Sends captured credentials and device info to attackers.
## Functionality
### Core Capabilities
- **Credential Theft:** Uses fake HTML overlays atop legitimate banking apps and the Portuguese `gov.pt` app to steal login PINs and credit card details.
- **SMS Interception:** Captures incoming SMS messages to bypass Two-Factor Authentication (2FA).
- **Keylogging:** Records all text input on the infected device.
- **Screen Streaming:** Utilizes the Android MediaProjection API to stream the device's screen to the attacker in real-time.
### Advanced Features
- **UI-Tree Traversal:** To bypass apps that block screen capture, Massiv traverses `AccessibilityWindowInfo` roots to build a JSON map of all UI elements (coordinates, clickable status, and text).
- **Stealth / Black Screen Mode:** Can muffle sounds/vibrations and display a "black screen" overlay to hide malicious background activity from the user.
- **Remote Operations:** Executes clicks, swipes, clipboard alterations, and device unlocking via pattern/PIN.
- **Persistence Management:** Can open settings screens for Battery Optimization, Device Admin, and Play Protect to prompt the user to disable security features.
## Indicators of Compromise
- **File Names:** `IPTV24`, `hfgx` (Note: Often disguised as online TV or IPTV utility apps).
- **Behavioral Indicators:**
- Requests for "Accessibility Services" permissions immediately after install.
- Prompts to install "updates" from unknown sources via a dropper.
- Unusual battery drain or data usage while the device is "idle" (due to screen streaming).
## Associated Threat Actors
- Currently attributed to unidentified cybercriminals targeting mobile banking users, with specific campaigns observed targeting Portuguese citizens (`gov.pt`).
## Detection Methods
- **Behavioral Detection:** Monitoring for apps that abuse Accessibility Services and MediaProjection simultaneously, or apps that frequently request `REQUEST_INSTALL_PACKAGES` permissions.
- **Signature-based:** Security software scans for known APK signatures associated with the Massiv family and its droppers.
## Mitigation Strategies
- **Prevention:** Avoid downloading IPTV or streaming applications from third-party websites or links sent via SMS.
- **Hardening:** Disable "Install from Unknown Sources" in Android settings.
- **Permission Hygiene:** Be extremely wary of any application requesting "Accessibility Services" unless there is a clear, legitimate functional need.
- **Security Software:** Use reputable mobile EDR/antivirus solutions to detect banking overlays.
## Related Tools/Techniques
- **Crocodilus:** Similar Android banker using Accessibility Service abuse.
- **Datzbro / Klopatra:** Android trojans sharing similar device takeover techniques.
- **MediaProjection API:** LEGITIMATE API abused by this malware for unauthorized screen monitoring.