CYBERSECURITY researchers have disclosed Massiv, a new Android banking Trojan described by ThreatFabric, designed to enable remote takeover of infected devices and fraud from victims’ banking accounts. The malware masquerades as IPTV apps to lure users and uses a dropper that prompts installation of an “important” update to gain additional permissions, with the dropper names including IPTV24 (Dropper) and Google Play (Massiv).
Once active, Massiv can stream the device screen, log keystrokes, intercept SMS, display fake overlays over banking apps, and remotely control the device to perform fraudulent transactions; it can also harvest credentials via a UI-tree based extraction method that inventories visible text and UI elements.
ThreatFabric notes that the campaigns observed are limited and have mainly targeted Spain, Portugal, France, and Turkey, though at least one campaign targeted gov[.]pt, a Portuguese public administration app, to capture a user’s phone number and PIN. In addition to credential theft, the malware can download overlays and APKs, install software from external sources, and manipulate device settings to facilitate ongoing access.
ThreatFabric said Massiv shows signs of evolving toward Malware-as-a-Service, with API keys observed for backend communications and ongoing development expected to add more features.