Malware News Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
921
4,329
2,168
Germany
Content source
https://thehackernews.com/2026/02/fake-iptv-apps-spread-massiv-android.html
Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that's designed to facilitate device takeover (DTO) attacks for financial theft.

The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity is primarily singling out users looking for the online TV applications.

"This new threat, while only seen in a limited number of rather targeted campaigns, already poses a great risk to the users of mobile banking, allowing its operators to remotely control infected devices and perform device takeover attacks with further fraudulent transactions performed from the victim's banking accounts," the Dutch mobile security company said in a report shared with The Hacker News.

ThreatFabric told The Hacker News via email that the malware was first spotted in a campaign targeting users in Portugal and Greece earlier this year, although it has observed samples dating back to the start of 2025 as part of smaller test campaigns.
Click to expand...
Full Story:
thehackernews.com

Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

Massiv Android trojan hides in fake IPTV apps, enabling remote device control, credential theft, and fraudulent banking transactions via DTO attacks.
thehackernews.com thehackernews.com
 
  • Like
  • +Reputation
Reactions: Khushal, Divergent, Halp2001 and 1 other person
Some things worth keeping in mind to minimize these risks are pretty straightforward: install apps only from official sources, check what permissions they ask for (if an IPTV app wants access to SMS or contacts, that’s a red flag), keep the system updated, and use two‑factor authentication for mobile banking. It also helps to regularly check your banking activity and avoid granting accessibility permissions to apps that don’t really need them. These details may seem minor, but they make a big difference when campaigns like this show up. 🔒📱👀
 
  • Like
Reactions: Brownie2019
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1417 (Input Capture)
T1513 (Screen Capture)
T1626 (Abuse Elevation Control Mechanism) T1624.001 (Event Triggered Execution: Accessibility Services).

CVE Profile
[NVD Score: N/A]
[CISA KEV Status: Inactive]
This malware relies entirely on user-granted permissions and API abuse (UI-tree mode) rather than exploiting a specific CVE.

Telemetry

Package Name (Dropper)
hfgx.mqfy.fejku

Package Name (Massiv Payload) hobfjp.anrxf.cucm

Targeted App Domain
id.gov.pt

Constraint
The structure resembles a staged deployment where an initial dropper fetches the primary payload. File sizes, exact delivery mechanisms beyond SMS phishing, and cryptographic hashes are currently "Unknown" based on the provided text.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Enforce Mobile Device Management (MDM) policies restricting app installations from "Unknown Sources."

DETECT (DE) – Monitoring & Analysis

Command
Monitor MDM/EDR telemetry for the presence of the package names hfgx.mqfy.fejku and hobfjp.anrxf.cucm.

RESPOND (RS) – Mitigation & Containment

Command
Isolate identified Android devices from the corporate Wi-Fi and VPN immediately to prevent lateral movement or data exfiltration.

RECOVER (RC) – Restoration & Trust

Command
Factory reset compromised Android devices; do not attempt surgical removal of the trojan due to its extensive Device Takeover (DTO) capabilities.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Deploy security awareness training focused on SMS Phishing (Smishing) and the dangers of sideloading Android applications.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
"Disconnect from the internet immediately." (Only applicable if you are using an Android device and suspect infection).

Command
"Do not log into banking/email until verified clean."

Priority 2: Identity

Command
Reset passwords and MFA tokens using a known clean device (e.g., a Windows PC or an iOS device on a cellular network).

Priority 3: Persistence

Command
Check Accessibility Service permissions in Android Settings and revoke access for any unrecognized applications. Uninstall any recently sideloaded IPTV applications.

Hardening & References

Baseline
CIS Benchmarks for Google Android.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

The Hacker News
Click to expand...
 
  • Like
Reactions: harlan4096

You may also like...