Executive Summary

A sophisticated Android banking malware campaign is currently propagating through fake IPTV applications, distributing the Massiv banking trojan and targeting mobile banking users across Southern Europe, with a particular focus on Spain, Portugal, France, and Turkey. The attackers exploit the widespread demand for unofficial IPTV streaming services, enticing users to sideload malicious APKs from untrusted sources. Once installed, these counterfeit IPTV apps deploy the Massiv malware, which leverages advanced Android APIs to perform credential theft, remote device manipulation, and financial fraud. The campaign demonstrates a high level of technical proficiency, utilizing overlay attacks, keylogging, and abuse of the Accessibility Service and MediaProjection APIs to circumvent security controls in both banking and government digital identity applications. The threat landscape is evolving rapidly, with indications that the malware may soon be offered as a Malware-as-a-Service (MaaS) platform, further amplifying its reach and impact.

Threat Actor Profile

The operators behind the Massiv campaign are financially motivated cybercriminals, exhibiting a strong understanding of both Android internals and the European financial ecosystem. There is no current evidence linking this campaign to established Advanced Persistent Threat (APT) groups; rather, the activity aligns with organized cybercrime syndicates specializing in banking malware. The threat actors demonstrate agility in their tactics, techniques, and procedures (TTPs), rapidly iterating on the malware’s capabilities and infrastructure. Open-source intelligence and technical analyses suggest that the group is preparing to commercialize Massiv as a MaaS offering, which would enable other criminal entities to leverage the malware for their own campaigns. The actors are adept at social engineering, using convincing IPTV app branding and distribution channels such as Telegram, underground forums, and fraudulent websites to maximize infection rates.

Technical Analysis of Malware/TTPs

The infection chain begins with the distribution of counterfeit IPTV apps, which are not available on the official Google Play Store due to policy violations. Instead, users are lured to sideload APKs from third-party sources. Upon installation, the fake IPTV app may either fail to function or display a legitimate IPTV website within a WebView, maintaining the illusion of authenticity while covertly deploying the Massiv payload.

Massiv exhibits a modular architecture, with the following core capabilities:

Overlay Attacks: The malware dynamically generates overlays that mimic the login screens of targeted banking and government apps. These overlays are triggered when the user opens a targeted application, harvesting credentials, PINs, and other sensitive data.

Keylogging: By abusing the Accessibility Service, Massiv captures keystrokes and input events, enabling the theft of authentication data and personal information.

Remote Control: The malware leverages the MediaProjection API to stream the device’s screen in real time to the attacker’s command-and-control (C2) infrastructure. In addition, a UI-Tree mode extracts structured interface data, including visible text, element names, coordinates, and interaction attributes, allowing attackers to interact with the device remotely and bypass screen-capture protections.

Persistence: Massiv aggressively solicits Accessibility Service permissions, ensuring it can survive device reboots and maintain privileged access for extended periods.

Account Takeover and Fraud: The malware has been observed facilitating the creation of new bank accounts and digital services in the victim’s name, enabling downstream money laundering and fraudulent loan applications.

C2 Communication: The malware employs encrypted WebSocket channels and rapidly rotating domains for resilient and stealthy command-and-control operations.

The campaign’s technical sophistication is further evidenced by its ability to evade traditional mobile security solutions, leveraging legitimate Android APIs rather than exploiting known vulnerabilities (CVEs). This approach complicates detection and remediation, as the malicious behavior is often indistinguishable from legitimate app functionality at the API level.

Exploitation in the Wild

The Massiv campaign is actively targeting users in Spain, Portugal, France, and Turkey, with a focus on customers of major financial institutions and users of government digital identity services such as Portugal’s Chave Móvel Digital and gov.pt. Victims typically encounter the malware after searching for free or premium IPTV streaming solutions and downloading APKs from unofficial sources. Once infected, users report unauthorized transactions, the creation of new bank accounts and loans in their names, and in some cases, complete account takeovers.

The malware’s overlay and remote control features enable attackers to bypass multi-factor authentication and other security controls, resulting in significant financial losses. Incident reports indicate that the attackers are capable of executing fraudulent transactions in real time, often while the victim is actively using their device. The campaign’s reliance on dynamic C2 infrastructure and rapidly evolving IOCs (Indicators of Compromise) has hindered traditional detection and response efforts.

Victimology and Targeting

The primary victims of the Massiv campaign are individual mobile banking users in Southern Europe, particularly those who sideload applications from unofficial sources. The attackers specifically target users of popular banking apps and government digital identity platforms, exploiting the trust placed in these services. The campaign’s geographic focus aligns with regions where IPTV piracy is prevalent and where digital banking adoption is high.

Secondary victims include financial institutions and government agencies, which face increased fraud risk, reputational damage, and operational disruption as a result of compromised customer accounts. The attackers’ ability to automate account creation and loan applications further amplifies the impact, enabling large-scale financial fraud and money laundering.

Mitigation and Countermeasures

To mitigate the risk posed by the Massiv malware, organizations and end-users should adopt a multi-layered defense strategy. Users must be educated to install applications exclusively from official app stores such as Google Play and to avoid sideloading APKs from untrusted sources. Mobile threat defense solutions should be deployed to detect and block overlay attacks, abuse of the Accessibility Service, and suspicious APK installations.

Financial institutions are encouraged to implement in-app protections against overlays and Accessibility abuse, such as runtime integrity checks, overlay detection mechanisms, and behavioral analytics. Regular monitoring for emerging IOCs, as published by reputable threat intelligence providers like ThreatFabric, is essential for timely detection and response.

Security teams should also monitor for anomalous account activity, including the creation of new accounts and loan applications, and implement robust identity verification processes to prevent fraud. Collaboration with law enforcement and industry partners is recommended to track the evolving threat landscape and share actionable intelligence.

References

BleepingComputer: New 'Massiv' Android banking malware poses as an IPTV app

ThreatFabric: Massiv - When your IPTV app terminates your savings

BankInfoSecurity: Massiv Attack: Android Trojan Targets IPTV Users

The Hacker News: Fake IPTV Apps Spread Massiv Android Malware

MITRE ATT&CK Mobile Matrix: https://attack.mitre.org/matrices/mobile/

Reddit: r/Android - New 'Massiv' Android banking malware poses as an IPTV app

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats and safeguard critical assets. For more information about our solutions or to discuss your organization’s cybersecurity needs, we are happy to answer questions at ops@rescana.com.