Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users
Source: The Hacker News
Ravie Lakshmanan
Feb 19, 2026 – Banking Malware / Mobile Security
Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that is designed to facilitate device‑takeover attacks for financial theft. The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity primarily targets users looking for online TV applications.
“This new threat, while only seen in a limited number of rather targeted campaigns, already poses a great risk to the users of mobile banking, allowing its operators to remotely control infected devices and perform device‑takeover attacks with further fraudulent transactions performed from the victim’s banking accounts,” the Dutch mobile‑security company said in a report shared with The Hacker News.
Like various Android banking‑malware families, Massiv supports a wide range of features to facilitate credential theft through several methods:
- screen streaming via Android’s MediaProjection API
- keylogging
- SMS interception
- fake overlays displayed atop banking and financial apps (the overlay asks users to enter their credentials and credit‑card details)
Notable Campaigns
One campaign was found to target gov.pt, a Portuguese public‑administration app that lets users store identification documents and manage the Digital Mobile Key (aka Chave Móvel Digital or CMD). The overlay tricks users into entering their phone number and PIN code, likely to bypass Know‑Your‑Customer (KYC) verification.
ThreatFabric reported cases where scammers used the information captured through these overlays to open new banking accounts in the victim’s name, enabling money‑laundering or loan approvals without the victim’s knowledge.
In addition, Massiv functions as a fully‑featured remote‑control tool, granting the operator stealthy access to the victim’s device while showing a black‑screen overlay to conceal malicious activity. These techniques, which abuse Android’s accessibility services, have also been observed in other Android banking trojans such as Crocodilus, Datzbro, and Klopatra.
“However, some applications implement protection against screen capture,” ThreatFabric explained. “To bypass it, Massiv uses so‑called UI‑tree mode—it traverses
AccessibilityWindowInforoots and recursively processesAccessibilityNodeInfoobjects.”
The malware builds a JSON representation of visible text, content descriptions, UI elements, screen coordinates, and interaction flags (clickable, editable, focused, enabled). Only nodes that are visible and contain text are exported to the attacker, who can then decide the next action by issuing specific commands to interact with the device.
Capabilities
Massiv can perform a wide range of malicious actions, including:
- Enable black overlay, mute sounds and vibration
- Send device information to the C2 server
- Perform click and swipe actions programmatically
- Alter the clipboard with attacker‑controlled text
- Disable the black screen overlay
- Turn on/off screen streaming
- Unlock the device using a pattern lock
- Serve overlays for a specific app, device‑pattern lock, or PIN entry
- Download ZIP archives containing overlays for targeted applications
- Download and silently install additional APK files
- Open Battery‑Optimization settings, Device‑Ad settings, etc.
Source: ThreatFabric report (shared with The Hacker News)
Massiv Malware – Overview
Key behaviors observed
- Requests permission to access SMS messages and install APK packages.
- Clears log databases on the device.
- Shows suspicious min and Play Protect settings screens.
Distribution method
Massiv is distributed as dropper apps that mimic legitimate IPTV applications and are delivered via SMS phishing. After the victim installs and launches the dropper, it prompts the user to install an “important” update by requesting permission to install software from external sources.
Malicious artifacts
| Artifact | Package name | Role |
|---|---|---|
| IPTV24 | hfgx.mqfy.fejku | Dropper |
| Google Play | hobfjp.anrxf.cucm | Massiv payload |
“In most of the cases observed, it is just masquerading,” said ThreatFabric. “No actual IPTV applications were infected or initially contained malicious code. Usually, the dropper that mimics an IPTV app opens a WebView with an IPTV website in it, while the actual malware is already installed and running on the device.”
Geographic focus
The majority of Android campaigns using TV‑related droppers have targeted Spain, Portugal, France, and Turkey over the past six months.
Threat landscape context
Massiv is the latest entrant to an already crowded Android threat landscape, reflecting the continuing demand for turnkey solutions among cyber‑criminals.
“While not yet observed being promoted as Malware‑as‑a‑Service, Massiv’s operator shows clear signs of going this path, introducing API keys to be used in malware communication with the backend,” ThreatFabric added. “Code analysis revealed ongoing development, with more features likely to be introduced in the future.”
Stay informed – Follow us for more exclusive content: