Cybersecurity experts have identified a new Android malware, dubbed Massiv, which poses a significant threat to mobile banking users. According to ThreatFabric, this malware disguises itself as benign IPTV applications, targeting users interested in online TV services. Its primary objective is to execute device takeover (DTO) attacks for financial theft.
Malware Capabilities and Methods
Massiv is equipped with several features that aid in stealing user credentials. It employs screen streaming, keylogging, SMS interception, and deceptive overlays on banking apps to gather sensitive information. One particular campaign has been found targeting a Portuguese public administration application, tricking users into divulging their phone numbers and PIN codes to bypass Know Your Customer (KYC) processes.
The malware allows operators to control infected devices remotely, perform fraudulent transactions, and create new banking accounts under the victim’s name. It also uses Android’s accessibility services to operate stealthily, displaying a black screen overlay to hide its activities. Techniques similar to those used by other Android banking malware, such as Crocodilus and Klopatra, have been observed.
Technical Exploits and Distribution
The malware exploits Android’s features to capture screen content while circumventing protections against screen capture. It uses a UI-tree mode to process visible UI elements and export them to attackers, who can then interact with the device based on this information. Massiv enables actions such as muting device sounds, altering clipboard contents, and manipulating screen settings.
Massiv is distributed through SMS phishing campaigns, masquerading as IPTV apps. Once installed, it prompts users to allow software installation from external sources under the guise of an essential update. The dropper apps, such as IPTV24 and Google Play, facilitate the installation of the malware on the device.
Impact and Future Developments
Recent campaigns using TV-themed droppers have primarily affected users in Spain, Portugal, France, and Turkey. Although Massiv is not yet marketed as Malware-as-a-Service, its operators show signs of heading in that direction, with ongoing development and potential new features.
This development underscores the persistent demand for advanced malware solutions among cybercriminals. As Massiv continues to evolve, it is crucial for users to remain vigilant and for the cybersecurity community to enhance protective measures against such threats.
