Android Users Warned: Fake IPTV Apps Spread Massive Malware Targeting Mobile Banking Customers

Post Views: 88

New Android Malware “Massiv” Targets Mobile Banking Users via Fake IPTV Apps

A newly discovered Android trojan, dubbed Massiv, has been found to be targeting mobile banking users through fake IPTV apps. According to ThreatFabric, a Dutch mobile security company, the malware is designed to facilitate device takeover (DTO) attacks, allowing its operators to remotely control infected devices and perform fraudulent transactions from the victim’s banking accounts.

Malware Features

Massiv supports a range of features to facilitate credential theft, including screen streaming, keylogging, SMS interception, and fake overlays served atop banking and financial apps. The malware also uses Android’s accessibility services to build a JSON representation of visible text and content descriptions, UI elements, screen coordinates, and interaction flags. This allows the attacker to determine the next course of action and issue specific commands to interact with the device.

Malware Distribution

The malware is distributed via SMS phishing, where victims are tricked into installing a dropper app masquerading as an IPTV app. Once installed, the dropper prompts the victim to install an “important” update, granting it permissions to install software from external sources. The actual malware is then installed and runs on the device, allowing the attacker to perform a range of malicious actions, including enabling black overlay, muting sounds and vibration, sending device information, and performing click and swipe actions.

ThreatFabric has identified cases where scammers used the information captured through Massiv’s overlays to open new banking accounts in the victim’s name, allowing them to be used for money laundering or getting loans approved without the actual victim’s knowledge.

Malware-as-a-Service

ThreatFabric notes that Massiv’s operator shows clear signs of going the Malware-as-a-Service route, introducing API keys to be used in malware communication with the backend. Code analysis revealed ongoing development, with more features likely to be introduced in the future.

The majority of Android malware campaigns using TV-related droppers have targeted Spain, Portugal, France, and Turkey over the past six months. Massiv is the latest entrant to an already crowded Android threat landscape, reflecting the continuing demand for such turnkey solutions among cybercriminals.