ThreatFabric Uncovers Android Trojan Aiming for Banking Credential Theft

 

Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that enables device takeover (DTO) attacks for financial theft.

According to ThreatFabric, the malware masquerades as seemingly harmless IPTV apps to deceive victims. As a result, the campaign primarily singles out users searching for online TV applications.

“This new threat, while only seen in a limited number of rather targeted campaigns, already poses a great risk to the users of mobile banking, allowing its operators to remotely control infected devices and perform device takeover attacks with further fraudulent transactions performed from the victim’s banking accounts,” the Dutch mobile security company said in a report.

Advanced Credential Theft and Banking Abuse

Like other Android banking malware families, Massiv supports a wide range of features that facilitate credential theft through multiple techniques. Specifically, it leverages:

• Screen streaming via Android’s MediaProjection API
• Keylogging
• SMS interception
• Fake overlays displayed on top of banking and financial apps

Notably, the overlay prompts users to enter their credentials and credit card details, directly capturing sensitive information.

Furthermore, researchers uncovered a campaign targeting gov.pt, a Portuguese public administration app that allows users to store identification documents and manage the Digital Mobile Key (Chave Móvel Digital or CMD). In this case, the overlay tricks users into entering their phone number and PIN code, likely attempting to bypass Know Your Customer (KYC) verification.

ThreatFabric also identified incidents where scammers used data harvested through these overlays to open new bank accounts in victims’ names. Consequently, attackers used those accounts for money laundering or to secure loans without the victims’ knowledge.

Full Remote Control and Stealth Capabilities

In addition, Massiv functions as a fully operational remote-control tool. It allows operators to stealthily access infected devices while displaying a black screen overlay to conceal malicious activity. The malware abuses Android’s accessibility services to execute these actions.

Researchers have observed similar techniques in other Android banking trojans such as Crocodilus, Datzbro, and Klopatra.

“However, some applications implement protection against screen capture,” the company explained. “To bypass it, Massiv uses so-called UI-tree mode — it traverses AccessibilityWindowInfo roots and recursively processes AccessibilityNodeInfo objects.”

To accomplish this, the malware builds a JSON representation of visible text, content descriptions, UI elements, screen coordinates, and interaction flags. These flags reveal whether elements appear clickable, editable, focused, or enabled. The malware exports only visible nodes containing text to the attacker, who then determines the next action by issuing specific device interaction commands.

Wide Range of Malicious Capabilities

The malware equips operators with extensive functionality, including the ability to:

• Enable black overlay, mute sounds, and disable vibration
• Send device information
• Perform click and swipe actions
• Modify the clipboard with specific text
• Disable the black screen
• Turn screen streaming on or off
• Unlock the device using a pattern
• Serve overlays for apps, device pattern lock, or PIN
• Download ZIP archives containing overlays for targeted applications
• Download and install APK files
• Open Battery Optimization, Device Admin, and Play Protect settings
• Request permissions to access SMS messages and install APK packages
• Clear log databases on the device

Distribution via IPTV-Themed Droppers

Meanwhile, attackers distribute Massiv through dropper apps that mimic IPTV applications and spread via SMS phishing. After installation, the dropper prompts the victim to install an “important” update and requests permission to install software from external sources.

The malicious artifacts include:

• IPTV24 (hfgx.mqfy.fejku) – Dropper
• Google Play (hobfjp.anrxf.cucm) – Massiv

“In most of the cases observed, it is just masquerading,” ThreatFabric said. “No actual IPTV applications were infected or initially contained malicious code. Usually, the dropper that mimics an IPTV app opens a WebView with an IPTV website in it, while the actual malware is already installed and running on the device.”

Over the past six months, most Android malware campaigns leveraging TV-themed droppers have targeted users in Spain, Portugal, France, and Turkey.

An Emerging Player in a Crowded Threat Landscape

Ultimately, Massiv represents the latest addition to an already crowded Android threat landscape, underscoring the continued demand for turnkey malware solutions among cybercriminals.

“While not yet observed being promoted as Malware-as-a-Service, Massiv’s operator shows clear signs of going this path, introducing API keys to be used in malware communication with the backend,” ThreatFabric said. “Code analysis revealed ongoing development, with more features likely to be introduced in the future.”

 

---

Source: TheHackerNews

Read more at Impreza News