Cybersecurity researchers have revealed details of a new Android Trojan called Massiv that aims to facilitate device takeover (DTO) attacks for financial theft.
According to ThreatFabric, the malware tricks victims by disguising itself as a seemingly harmless IPTV app, indicating that the activity primarily identifies users looking for online TV applications.
“Although this new threat has only been seen in a limited number of highly targeted campaigns, it already poses a significant risk to mobile banking users, allowing its operators to remotely control infected devices and perform further fraudulent transactions from victims’ bank accounts to conduct device takeover attacks,” the Dutch mobile security company said in a report shared with The Hacker News.
Like various Android banking malware families, Massiv supports a wide range of features that facilitate credential theft through a variety of methods, including screen streaming via Android’s MediaProjection API, keylogging, SMS interception, and fake overlays served on banking and financial apps. The overlay prompts the user to enter their credentials and credit card details.
One such campaign was found targeting gov.pt, a Portuguese government app that allows users to store their identity documents and manage their digital mobile keys (also known as Chave Móvel Digital or CMD). This overlay tricks users into entering their phone number and PIN code, presumably to bypass Know Your Customer (KYC) verification.
ThreatFabric said it has identified instances where fraudsters have used information obtained through these overlays to open new bank accounts in victims’ names, allowing them to be used for money laundering or loan approvals without the actual victim’s knowledge.
Additionally, it functions as a fully functional remote control tool, allowing operators to secretly access victims’ devices while displaying a black screen overlay to hide malicious activities. These techniques are achieved by exploiting Android’s accessibility services and have been observed in other Android bankers such as Crocodilus, Datzbro, and Klopatra.
“However, some applications implement protection against screen captures,” the company explained. “To avoid this, Massiv uses a so-called UI tree mode, which traverses the AccessibilityWindowInfo root and recursively processes the AccessibilityNodeInfo objects.”
This is done to construct a JSON representation of the displayed text and content description, the UI element, screen coordinates, and interaction flags that indicate whether the UI element is clickable, editable, focused, or enabled. Only nodes that are visible and contain text are exported to the attacker, who can then decide the next course of action by issuing specific commands to interact with the device.
This malware has the ability to perform a wide range of malicious actions.
Enable black overlay and mute sound and vibration. Submit device information. Perform click and swipe actions. Modify the clipboard with specific text. Disable black screen. Turn screen streaming on/off. Unlock your device with a pattern. Provides an app, device pattern lock, or PIN overlay. Download the ZIP archive containing the overlay for your application. Download and install the APK file. Open the Battery Optimization, Device Administrator, and Play Protect settings screen. Request permission to access SMS messages, install APK packages, clear log database on device
Massiv is distributed in the form of a dropper app that mimics IPTV apps via SMS phishing. Once installed and launched, the dropper prompts victims to install “critical” updates by giving them permission to install software from external sources. The names of the malicious artifacts are listed below.
IPTV24 (hfgx.mqfy.fejku) – Dropper Google Play (hobfjp.anrxf.cucm) – Massiv
“Most of the observed cases are simply disguised,” ThreatFabric said. “Real IPTV applications are not infected or did not contain malicious code to begin with. Droppers that mimic IPTV apps typically open a WebView containing an IPTV website, but the actual malware is already installed and running on the device.”
Over the past six months, the majority of Android malware campaigns using TV-related droppers targeted Spain, Portugal, France, and Turkey.
Massiv is the latest entrant into the already crowded Android threat landscape, reflecting the continued demand for such turnkey solutions among cybercriminals.
“While we have not yet observed it being promoted as Malware-as-a-Service, Massiv’s operators are showing clear signs of going down this path, introducing API keys used for malware communication with backends,” ThreatFabric said. “Code analysis reveals that development is ongoing and more features may be introduced in the future.”
Source link
