A newly discovered Android banking trojan dubbed Massiv is being used in targeted attacks against mobile banking and government service users. Identified by ThreatFabric researchers, the malware impersonates popular IPTV applications and gives attackers near-complete control over compromised devices, enabling large-scale financial fraud and identity abuse.
Smishing and fake IPTV apps: how Massiv infects Android devices
The distribution chain of Massiv banking malware relies on SMS phishing (smishing). Victims receive text messages containing a link to what is presented as a legitimate IPTV application (for example, “IPTV24”) or a critical update for an existing service. Instead of redirecting to Google Play, the link downloads an APK file from an external site, forcing the user into unsafe sideloading of apps.
Abuse of sideloading and deceptive “critical updates”
After installation, the dropper behaves like a standard IPTV client but quickly prompts the user to install a “critical update,” requesting permission to install software from unknown sources. Granting this permission disables an important Android security barrier and allows the full Massiv payload to be deployed outside official app store controls and Google Play Protect checks.
To reinforce the illusion of legitimacy, the IPTV dropper loads the real website of the IPTV provider inside a WebView. The user sees a functional interface and streaming content, while in the background the trojan silently connects to its command-and-control (C2) infrastructure and prepares to harvest credentials and take over the device.
Massiv capabilities: advanced banking trojan and full-featured Android RAT
Screen capture, keylogging, SMS interception, and overlay attacks
Massiv includes the entire toolset typical of modern Android banking trojans. By abusing the MediaProjection API, the malware can capture and stream the device screen in real time, exposing everything the user does: login to mobile banking, entering card details, or approving transactions.
In parallel, the trojan implements keylogging and SMS interception. Captured keystrokes and incoming messages, including one-time passwords (OTP) and banking alerts, are exfiltrated to the attacker’s server. This enables bypass of SMS-based two-factor authentication, a method still widely used in many countries despite repeated warnings from the security community.
A core attack vector is the use of fake overlay windows on top of banking and financial apps. When a protected application is opened, Massiv displays an imitation login or payment form visually indistinguishable from the original. Users unknowingly type their credentials and card data into the attacker-controlled interface. Overlay-based credential theft has been observed in other major families such as Anatsa and Xenomorph and remains one of the most effective methods of compromising mobile banking accounts.
Targeting government services and bypassing KYC controls
ThreatFabric reports a dedicated campaign against the Portuguese government app gov.pt. In this scenario, the overlay requests the victim’s phone number and PIN code. Such data can be misused to circumvent Know Your Customer (KYC) procedures for government portals and linked financial operations.
There is evidence that stolen personal and banking information has been used to open accounts in victims’ names. These accounts can then facilitate money laundering, microloan fraud, and movement of stolen funds, significantly complicating remediation for affected individuals and investigations by banks and regulators.
Remote access, black-screen mode, and Accessibility Services abuse
Beyond credential theft, Massiv operates as a Remote Access Trojan (RAT) for Android. Attackers can remotely control the infected device, while the victim sees only a black screen, masking ongoing malicious operations inside banking or wallet applications.
This capability is enabled through extensive abuse of Android Accessibility Services, originally designed to assist users with disabilities. Massiv intercepts UI events, taps, and text input, and leverages a so‑called UI-tree mode: it iterates through AccessibilityWindowInfo, constructs a JSON representation of all visible interface elements, and sends it to the operator. This technique helps bypass protections such as the “no screen capture” flag used by many banking and system apps, giving attackers a structured, machine-readable model of the screen even when straight screenshots are blocked.
Geographic focus, ongoing development, and Malware-as-a-Service potential
Initial Massiv campaigns were observed targeting users in Portugal and Greece. However, some malware samples date back to early 2025, indicating a lengthy development and testing phase before broader deployment. With the codebase and infrastructure actively maintained, expansion to additional regions and financial institutions is highly probable.
Industry threat reports consistently rank Android banking trojans among the most profitable mobile malware categories, as they provide direct access to money rather than just data. The arrival of a technically mature family like Massiv increases the likelihood of more sophisticated, large-scale fraud operations, particularly in markets where SMS authentication is common and security awareness remains low.
Indicators of a future Malware-as-a-Service platform
Although Massiv is not yet openly sold as Malware-as-a-Service (MaaS), its architecture already supports multi-operator use. The backend communication relies on API keys, simplifying management of different campaigns and customers. Code analysis reveals ongoing development: new modules are being added, stealth and persistence mechanisms refined, and the list of targeted applications expanded.
Such modularity and rapid iteration are characteristic of malware families prepared for commercialization on underground forums, where complete Android banking trojans and phishing kits are rented to less technically skilled cybercriminals, significantly lowering the barrier to entry.
How users and organizations can defend against Massiv and similar Android threats
To reduce exposure to Massiv and related Android banking malware, users should avoid installing applications from links in SMS or messaging apps, disable installation from unknown sources whenever possible, and keep the operating system and banking apps up to date. Special attention should be paid to requested permissions, particularly access to SMS and Accessibility Services; unexpected prompts for these permissions from non-assistive apps are a strong warning sign.
Deploying reputable mobile security solutions, monitoring for unusual device behavior (such as persistent black screens or sudden activation of accessibility features), and promptly reporting suspicious SMS messages to banks or telecom providers can further limit the impact of such campaigns.
Organizations and financial institutions should harden their mobile applications against overlay attacks, prefer phishing-resistant multi-factor authentication over SMS codes, and implement robust fraud detection capable of identifying anomalous device behavior and transaction patterns. Regular customer education on smishing, sideloading risks, and permission abuse remains one of the most cost-effective defenses.
Massiv illustrates how quickly Android threats are converging: banking trojan functionality, full remote access, and a MaaS-ready architecture are being combined into a single toolkit. Strengthening mobile security hygiene now—both at the user and institutional level—will be essential to limiting the effectiveness of this and the next generation of Android banking trojans.
