Massiv
Massiv is an Android banking trojan and remote-access malware family used for financial theft and device takeover attacks. It is commonly distributed via sideloaded fake IPTV applications outside official app stores, including droppers that may display a legitimate-looking IPTV site in a WebView while silently installing the payload; recent campaigns using IPTV-themed lures were observed in Spain, Portugal, France, Turkey, and also reported in Portugal and Greece. Researchers also noted Massiv in broader malicious unofficial streaming-app campaigns in Spain and Italy, and Zimperium reported its exact distribution chain was not definitively identified in some samples.
Once installed, Massiv abuses Android Accessibility Services and overlay capabilities to steal credentials and enable fraud. Reported capabilities include overlay-based credential theft against banking and cryptocurrency apps, keylogging, interception of SMS and push notifications, capture of one-time codes, monitoring of user activity, app enumeration, persistence, and remote control of infected devices. It supports device takeover through a WebSocket command channel and two operator-control modes: live screen streaming via Android MediaProjection and a fallback UI-tree mode based on Accessibility APIs that serializes visible UI elements into JSON to bypass screen-capture protections. Massiv and Astrinox were specifically observed using persistent fake Android update or full-screen overlays to block user interaction while authorizing actions, triggering navigation clicks, or facilitating malicious transaction approval. Some reporting also states Massiv performs pre-execution checks for rooted devices and certain mobile antivirus products and aborts in those environments.
ThreatFabric described Massiv as a novel family with no direct links to known threats and reported confirmed fraud in Southern Europe. One observed campaign targeted Portugal’s gov.pt digital identity wallet and the associated Chave Móvel Digital authentication system, using overlays to collect phone numbers and PINs, likely to bypass KYC and gain access to banking and other services. Researchers reported cases in which stolen data was used to open new accounts in victims’ names for money laundering, loans, and cash-out fraud. Zimperium tracked Massiv as one of four Android banking malware campaigns affecting more than 800 banking, cryptocurrency, and social applications. High-confidence sample hashes mentioned in the content include 54d4cb45fb7a18780ff2ccc7314b9b51ae446c58a179abbf9e62ce0c28539e8e and f9a52a923989353deb55136830070554db40f544be5a43534273126060f8c1f6.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThese malware families, named RecruitRat, SaferRat, Astrinox, and Massiv, employ various tactics like phishing and smishing to trick users into downloading malicious APK files.
"Massiv is distributed in the form of dropper apps mimicking IPTV apps via SMS phishing."
Execution
3 techniques"Sourcing them as APKs from unofficial channels is considered normal for their users, who are accustomed to sideloading them."
Users typically encounter them on websites or ads and are asked to download and install them manually... By doing so, users: Bypass protections designed to screen apps for malicious behaviour.
"Like almost every Android Trojan, it pushes users into authorizing access to the operation system's accessibility service."
Persistence
2 techniquesOne of the clearest warning signs is a request for Accessibility Services after opening the app. This level of access is not required for streaming and is frequently abused by banking malware to monitor input or interact with other apps.
Privilege Escalation
2 techniquesOne of the clearest warning signs is a request for Accessibility Services after opening the app. This level of access is not required for streaming and is frequently abused by banking malware to monitor input or interact with other apps.
Stealth
2 techniquesCredential Access
9 techniquesIt can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.
Malware has gained more sophisticated capabilities, including full Device Takeover (DTO), credential theft (using overlays and keylogging)
"credential theft through overlays that mimic legitimate application interfaces"; "Overlays prompt victims for phone numbers and PIN codes"
"fake overlays served atop banking and financial apps. The overlay asks users to enter their credentials and credit card details."
"Perform click and swipe actions"; "issuing specific commands to interact with the device"
They can also intercept one-time passwords (OTPs) sent via text...
"...to steal digital identities and gain access to online banking accounts..."; "...harvest sensitive data..."
It can... intercept the one-time codes from text messages and login apps that are meant to keep accounts safe.
Lateral Movement
1 technique"full device takeover via remote control features"; "grants remote operators extensive device control"
Collection
8 techniquesIt can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.
Malware has gained more sophisticated capabilities, including full Device Takeover (DTO), credential theft (using overlays and keylogging)
"credential theft through overlays that mimic legitimate application interfaces"; "Overlays prompt victims for phone numbers and PIN codes"
"fake overlays served atop banking and financial apps. The overlay asks users to enter their credentials and credit card details."
"Perform click and swipe actions"; "issuing specific commands to interact with the device"
They abuse Accessibility Service permissions to freeze the screen, while secretly capturing credentials, contacts, SMS messages, and even recording the screen.
Command and Control
3 techniques"persistent control channel over WebSocket for transmitting commands and receiving UI data"
"...the APK is a dropper that installs the malware payload."
Exfiltration
1 technique"constructing a JSON model containing visible text... screen coordinates... This structured representation permits operators to identify UI components precisely"
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan delivered via unofficial streaming apps; designed to steal from banking and crypto apps using device takeover capabilities.
An Android banking trojan delivered under the guise of an IPTV app.
Android banking malware in a broad campaign affecting hundreds of apps. It uses overlay abuse, screen monitoring, and fake prompts to steal PINs, credentials, and authentication codes; Massiv was observed deploying static full-screen overlays to authorize actions and trigger hidden navigation clicks.
Android malware family with unknown distribution method. It carries out overlay attacks against banking and crypto apps, abuses Accessibility Service permissions, steals credentials, contacts and SMS messages, intercepts OTPs, records screens, and uses keylogging.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.