Fraudsters have come up with a new and original way to take control of someone else's phone.
A new banking Trojan has surfaced on Android again. It follows the same pattern: trick a user into installing an app bypassing the app store, extracting access, and then taking control of the phone and performing transactions "by the operator." A recent study by mobile threat analysts dubbed this family "Massiv," after one of its internal modules.
Massiv hasn't yet been detected in mass mailings, but in relatively small, targeted campaigns. However, even at this scale, the risk is high, as the Trojan is designed to hijack a device and then conduct fraudulent transactions from the victim's bank accounts. The report specifically notes confirmed cases of fraud in Southern Europe.
In terms of functionality, Massiv resembles a typical modern banking Trojan , but without any obvious ties to other known families. It contains everything needed to steal data and bypass security: fake screens over legitimate apps, intercepting keyboard input, and intercepting SMS and push notifications. All this helps extract logins, passwords, card details, and one-time codes, and then maintain access long enough to complete the attack and secure the funds.
The first stage often involves fake screens. Massiv monitors which apps are launched on the infected phone. As soon as the user opens the desired target, the Trojan displays a fake login or confirmation form over it. It mimics the interface of the real app and asks for the "standard" data that the user is accustomed to entering: login, password, PIN, and card details.
In one of the analyzed campaigns, the target was not a bank client, but the Portuguese government app gov.pt. It functions as a digital identity wallet, so the fake screen asked the victim for a phone number and PIN. The report suggests that the attackers use this to bypass identity checks tied to government identification. This is important in the context of financial fraud: if criminals can verify identity through an official digital tool, they can more easily pass the procedures that typically prevent fraudulent activity.
Chave Móvel Digital, a Portuguese digital authentication and electronic signature system, is also mentioned. It allows citizens to access online services, including banking. If a Trojan helps steal data associated with this system, it becomes easier to not only log into an account but also confirm transactions.
In some cases, new accounts were opened in the victim's name at banks and services they hadn't previously used. These accounts are initially controlled by the scammers, making them convenient to use as intermediate wallets for withdrawals, money laundering schemes, and sometimes even for loans. As a result, the victim may not only lose their money but also incur debts at a bank where they never opened an account.
Once the data is collected, Massiv enables the most dangerous part: remote control of the phone. The code describes the FuncVNC module. It's built on Android's accessibility service , the very mechanism needed by people with visual or motor impairments but often exploited by malware. Through it, the Trojan gains the ability to see interface elements and perform actions on the screen. Commands and data are exchanged via WebSocket, which is used as a transport to the command and control server.
During a remote session, Massiv has two modes of operation. The first is screencasting. It uses the standard MediaProjection API, meaning it can show the operator the display image in near real time. However, some applications, especially financial ones, specifically block screen capture. For this case, a second mode is provided, which the report calls "UI-tree." The idea is that instead of an image, the Trojan collects an "UI tree" via the Accessibility API and converts it into a JSON description of what's currently on the screen.
This JSON captures visible text, element descriptions, component technical classes, coordinates, and attributes such as "clickable," "enterable," "focused," and "active." Not every element is exported, but only those that actually help control the screen: visible, clickable, or containing text. The operator receives a structured screen layout and can find the necessary buttons and input fields, even if the application prevents screenshots. This also allows for automation of some actions based on element attributes rather than guessing coordinates.
A separate layer of the story concerns how Massiv gets onto devices. In the observed campaign, the Trojan was disguised as an IPTV app, that is, an app for online television. This was based on audience habits: many IPTV services are distributed not through Google Play, but through websites, forums, and Telegram channels, sometimes due to copyright restrictions. Users of such apps are often comfortable installing from unknown sources and are not surprised by requests for additional permissions.
Most of these cases don't involve hacking legal IPTV at all. The attackers simply take a recognizable sign and hide a downloader behind it.
The scheme works like this: the app displays a page or player for a real IPTV service, so everything on the screen appears authentic, and the user doesn't immediately realize they've landed on the wrong site. Meanwhile, a malicious module runs in the background, doing its work unnoticed.
According to researchers, IPTV scams have become more common over the past 6-8 months. The number of downloaders posing as IPTV apps is growing. Similar campaigns have been recorded in Spain, Portugal, France, and Turkey.
The report concludes by describing Massiv as a family that's still evolving. Specifically, API keys for communicating with the server are mentioned. It's also clear that development is ongoing, and the feature set may expand. A separate risk is that small, targeted campaigns often remain undetected for longer: less noise, fewer mass indicators, and less attention from automated systems.
Indicators of compromise from the report:
SHA-256: 54d4cb45fb7a18780ff2ccc7314b9b51ae446c58a179abbf9e62ce0c28539e8e
package name: hobfjp.anrxf.cucm
application name: Google Play
описание: Massiv payload
SHA-256: f9a52a923989353deb55136830070554db40f544be5a43534273126060f8c1f6
package name: hfgx.mqfy.fejku
application name: IPTV24
описание: Dropper
A new banking Trojan has surfaced on Android again. It follows the same pattern: trick a user into installing an app bypassing the app store, extracting access, and then taking control of the phone and performing transactions "by the operator." A recent study by mobile threat analysts dubbed this family "Massiv," after one of its internal modules.
Massiv hasn't yet been detected in mass mailings, but in relatively small, targeted campaigns. However, even at this scale, the risk is high, as the Trojan is designed to hijack a device and then conduct fraudulent transactions from the victim's bank accounts. The report specifically notes confirmed cases of fraud in Southern Europe.
In terms of functionality, Massiv resembles a typical modern banking Trojan , but without any obvious ties to other known families. It contains everything needed to steal data and bypass security: fake screens over legitimate apps, intercepting keyboard input, and intercepting SMS and push notifications. All this helps extract logins, passwords, card details, and one-time codes, and then maintain access long enough to complete the attack and secure the funds.
The first stage often involves fake screens. Massiv monitors which apps are launched on the infected phone. As soon as the user opens the desired target, the Trojan displays a fake login or confirmation form over it. It mimics the interface of the real app and asks for the "standard" data that the user is accustomed to entering: login, password, PIN, and card details.
In one of the analyzed campaigns, the target was not a bank client, but the Portuguese government app gov.pt. It functions as a digital identity wallet, so the fake screen asked the victim for a phone number and PIN. The report suggests that the attackers use this to bypass identity checks tied to government identification. This is important in the context of financial fraud: if criminals can verify identity through an official digital tool, they can more easily pass the procedures that typically prevent fraudulent activity.
Chave Móvel Digital, a Portuguese digital authentication and electronic signature system, is also mentioned. It allows citizens to access online services, including banking. If a Trojan helps steal data associated with this system, it becomes easier to not only log into an account but also confirm transactions.
In some cases, new accounts were opened in the victim's name at banks and services they hadn't previously used. These accounts are initially controlled by the scammers, making them convenient to use as intermediate wallets for withdrawals, money laundering schemes, and sometimes even for loans. As a result, the victim may not only lose their money but also incur debts at a bank where they never opened an account.
Once the data is collected, Massiv enables the most dangerous part: remote control of the phone. The code describes the FuncVNC module. It's built on Android's accessibility service , the very mechanism needed by people with visual or motor impairments but often exploited by malware. Through it, the Trojan gains the ability to see interface elements and perform actions on the screen. Commands and data are exchanged via WebSocket, which is used as a transport to the command and control server.
During a remote session, Massiv has two modes of operation. The first is screencasting. It uses the standard MediaProjection API, meaning it can show the operator the display image in near real time. However, some applications, especially financial ones, specifically block screen capture. For this case, a second mode is provided, which the report calls "UI-tree." The idea is that instead of an image, the Trojan collects an "UI tree" via the Accessibility API and converts it into a JSON description of what's currently on the screen.
This JSON captures visible text, element descriptions, component technical classes, coordinates, and attributes such as "clickable," "enterable," "focused," and "active." Not every element is exported, but only those that actually help control the screen: visible, clickable, or containing text. The operator receives a structured screen layout and can find the necessary buttons and input fields, even if the application prevents screenshots. This also allows for automation of some actions based on element attributes rather than guessing coordinates.
A separate layer of the story concerns how Massiv gets onto devices. In the observed campaign, the Trojan was disguised as an IPTV app, that is, an app for online television. This was based on audience habits: many IPTV services are distributed not through Google Play, but through websites, forums, and Telegram channels, sometimes due to copyright restrictions. Users of such apps are often comfortable installing from unknown sources and are not surprised by requests for additional permissions.
Most of these cases don't involve hacking legal IPTV at all. The attackers simply take a recognizable sign and hide a downloader behind it.
The scheme works like this: the app displays a page or player for a real IPTV service, so everything on the screen appears authentic, and the user doesn't immediately realize they've landed on the wrong site. Meanwhile, a malicious module runs in the background, doing its work unnoticed.
According to researchers, IPTV scams have become more common over the past 6-8 months. The number of downloaders posing as IPTV apps is growing. Similar campaigns have been recorded in Spain, Portugal, France, and Turkey.
The report concludes by describing Massiv as a family that's still evolving. Specifically, API keys for communicating with the server are mentioned. It's also clear that development is ongoing, and the feature set may expand. A separate risk is that small, targeted campaigns often remain undetected for longer: less noise, fewer mass indicators, and less attention from automated systems.
Indicators of compromise from the report:
SHA-256: 54d4cb45fb7a18780ff2ccc7314b9b51ae446c58a179abbf9e62ce0c28539e8e
package name: hobfjp.anrxf.cucm
application name: Google Play
описание: Massiv payload
SHA-256: f9a52a923989353deb55136830070554db40f544be5a43534273126060f8c1f6
package name: hfgx.mqfy.fejku
application name: IPTV24
описание: Dropper
