New ‘Massiv’ Android Malware Disguised as IPTV App Hijacks Banking Accounts
Researchers warn of identity theft and remote device control through fake streaming apps.
Security researchers at ThreatFabric have uncovered a new Android banking trojan named Massiv, which disguises itself as an IPTV streaming application.
The malware steals digital identities, captures banking credentials, and enables full remote control of infected devices.
Targeting Digital Identity Systems
ThreatFabric observed Massiv targeting a Portuguese government application linked to Chave Móvel Digital, the country’s digital authentication and electronic signature platform.
Because this system connects to sensitive identity data, attackers can potentially:
- Bypass KYC verification processes
- Open fraudulent bank accounts
- Access public and private services
- Apply for loans under victim identities
Researchers identified cases where fraudsters opened new financial accounts in victims’ names. Criminals then used those accounts for laundering operations, leaving victims with unexpected debt.
How Massiv Operates
Massiv combines multiple surveillance and control techniques.
First, it uses screen overlays to trick users into entering credentials into fake login interfaces.
Second, it deploys keylogging to capture typed information.
More importantly, it enables two advanced remote-control modes:
- Live screen streaming using Android’s MediaProjection API
- UI-tree extraction via the Accessibility Service
The second method allows attackers to extract visible text, interface elements, and screen coordinates. As a result, operators can simulate clicks, edit fields, and navigate apps remotely.
This capability helps bypass screen-capture protections used in banking and secure messaging applications.
IPTV Apps Used as Infection Lures
ThreatFabric identified a rising trend over the past eight months: attackers increasingly disguise malware as IPTV streaming apps.
Because many IPTV apps violate copyright policies, users often sideload them from unofficial APK sources. Criminals exploit this behavior.
In many cases:
- The IPTV app is entirely fake
- The APK acts as a dropper for Massiv
- Some versions load a real IPTV website in a WebView to appear legitimate
Campaigns have primarily targeted users in Spain, Portugal, France, and Turkey.
Why This Matters
Banking malware no longer focuses only on credential theft. Instead, attackers now aim for complete identity takeover.
By combining digital ID access, remote control, and financial fraud, campaigns like Massiv increase both financial and regulatory risk.
Protection Recommendations
Android users should:
- Download apps only from Google Play
- Keep Play Protect enabled
- Avoid sideloading APKs from unknown sources
- Review app permissions carefully
Organizations should also educate employees about mobile identity risks, especially where government-backed digital ID systems integrate with banking platforms.