The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Massiv Android Banking Trojan

Feb 23, 2026 2:39:35 PM / by The Hivemind

MASSIVANDROID2026Verticals Targeted: Financial, Government
Regions Targeted: Southern Europe
Related Families: None

Executive Summary

Massiv represents an emerging Android banking Trojan family capable of overlay-based credential theft, keylogging, message interception, and full device takeover via remote control features, enabling fraudulent transactions and account manipulations. Distributed primarily through fake IPTV applications sideloaded outside official stores, it has facilitated confirmed fraud in southern Europe, particularly exploiting Portuguese government digital identity tools for bypassing security verifications.

Key Takeaways

  • Massiv is a novel Device Takeover malware family, independent of existing known threats, featuring overlay attacks, credential harvesting, and advanced remote access.
  • Operators leverage AccessibilityService for near real-time UI monitoring and manipulation, supporting screen streaming via MediaProjection API and a fallback UI-tree mode using JSON representations of interface elements.
  • Distribution relies on masquerading as IPTV applications, capitalizing on users' willingness to sideload apps from unofficial sources for premium or restricted content.
  • Campaigns exhibit targeted fraud, including new account openings in victims' names for money laundering, loans, and cash-outs.

What is Massiv?

Massiv emerges as a sophisticated Android banking Trojan, distinguished by its comprehensive remote control capabilities that enable operators to conduct Device Takeover attacks. The malware equips threat actors with tools for credential theft through overlays that mimic legitimate application interfaces, keylogging, and interception of SMS and push notifications. These features allow the extraction of sensitive information, including banking credentials and credit card details, paving the way for unauthorized transactions. Threat Fabric reported on this novel malware.

A notable aspect of Massiv's operations involves targeting the Portuguese government application gov[.]pt, which functions as a digital identity wallet. Overlays prompt victims for phone numbers and PIN codes, enabling fraudsters to harvest details necessary for bypassing Know Your Customer (KYC) processes. This connects to Chave Móvel Digital, Portugal's digital authentication system used for secure access to public and private services, including online banking. By compromising these mechanisms, operators can directly access victim banking accounts to approve fraudulent activities.

Beyond initial data theft, Massiv grants remote operators extensive device control through the FuncVNC class, built atop Android’s AccessibilityService. This establishes a persistent control channel over WebSocket for transmitting commands and receiving UI data. The malware supports dual remote session modes: screen streaming, which utilizes the MediaProjection API to share live screen content, and UI-tree mode. In the latter, Massiv traverses AccessibilityWindowInfo roots to recursively process AccessibilityNodeInfo objects, constructing a JSON model containing visible text, content descriptions, class names, screen coordinates, and interaction flags, such as clickable, editable, focused, or enabled. Only significant nodes, those visible, interactive, or text-bearing, are included to minimize data overhead and prioritize actionable elements. This structured representation permits operators to identify UI components precisely, comprehend layouts, and execute automated interactions.

Observed campaigns distribute Massiv by disguising it as IPTV applications, which provide access to online television services, often involving region-restricted or copyright-violating content unavailable on Google Play. Users accustomed to sideloading such apps from websites or Telegram channels encounter reduced suspicion when prompted to enable unknown sources. In analyzed instances, the dropper launches a WebView displaying a legitimate IPTV site while silently installing and activating the malware.

This IPTV masquerading tactic aligns with a broader trend in the mobile threat landscape, with increased samples observed over the past 6-8 months targeting Spain, Portugal, France, and Turkey. While browser update lures remain prevalent, IPTV themes exploit niche user behaviors effectively. Massiv demonstrates ongoing evolution, incorporating API keys for backend communication, suggesting potential future expansion or transition toward a Malware-as-a-Service model. Although campaigns remain limited and targeted, its potent capabilities warrant vigilant monitoring by financial institutions to detect emerging threats that may evade broader detection due to their focused scope.

IOCs

PolySwarm has multiple samples associated with this activity.

 

54d4cb45fb7a18780ff2ccc7314b9b51ae446c58a179abbf9e62ce0c28539e8e

f9a52a923989353deb55136830070554db40f544be5a43534273126060f8c1f6


Click here to view all samples of Massiv in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, device takeover, Android banking trojan, Android Overlay Attacks, IPTV masquerade, mobile banking fraud, remote control Android, Massiv malware, southern Europe threats

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More