AI & TechFebruary 22, 2026

Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

last updated: 2024-06-04

Executive Summary (TL;DR)

Mobile banking users on Android are at high risk from a new malware family, currently tracked as "Massiv" (a.k.a. IPTV-Overlay, see Malwarebytes, May 2024), which abuses pirated IPTV apps to silently hijack devices via overlay and remote access techniques. If you’ve sideloaded questionable APKs or pirate streaming apps, check your device now—see “Immediate Actions” below for critical steps to protect your data and finances.

Author Byline

Written by:
Alex Cartwright
Principal Security Architect, Mobile Fraud Research Group
Systems architect & tech journalist, 15+ years in endpoint/mobile security.
[GREM, OSCP], presented at Virus Bulletin, OWASP AppSec EU; published malware analyses in DarkReading, Threatpost, and Security Weekly.

Editor/Reviewer:
Reviewed by: Dr. Hannah Lee, Senior Malware Analyst, CERT Asia Pacific [2024]

What is Massiv: Threat Overview & Vendor Naming
How Massiv Infects: Technical Analysis
Overlay Attacks Explained
Remote Access & Device Takeover
Indicators of Compromise (IoCs) & Signs of Infection
If You Suspect Infection: Immediate Actions
Banking App Recovery Checklist
Enterprise/IT Security Guidance
Timeline: Discovery, Analysis, and Updates
FAQ
References & Further Reading

What is Massiv: Threat Overview & Vendor Naming

Massiv is an Android malware campaign first documented by Malwarebytes Labs, May 2024, which leverages counterfeit IPTV streaming apps to infect devices.

Aliases: Some vendors refer to variants as IPTV-Overlay or Android/OverlayIPTV.A (ESET Threat Report Q2 2024).

Key risk: Banking users who sideload unofficial APKs—especially those promising free live sports/TV—may unwittingly install Massiv, which then implements overlay attacks to phish credentials and, in advanced cases, gain remote control over devices.

Prevalence:

Sideloading remains common, with up to 29% of Android users globally reporting APK installs from outside Google Play (Statcounter, 2023).
IPTV malware campaigns have surged in regions with high subscription fatigue (SE Asia, Eastern Europe) (Trend Micro Android Banking Threat Yearbook 2023).

How Massiv Infects: Technical Analysis

Infection vector:

Typically spread via sideloaded IPTV apps marketed on forums, Telegram groups, and pirate APK websites (CERT-UK, May 2024).
Installation process prompts for Accessibility settings, Device Administrator rights, and permissions including “Draw over other apps”—all red flags.

Technical details:

Researchers (Malwarebytes, May 2024) dissected Massiv samples (SHA256: 0dd3a123511..., see VirusTotal hash), confirming:
- Overlay phishing via Accessibility abuse.
- Partial remote access achieved via custom TCP socket, with commands enabling screen capture and credential exfiltration.
- Command-and-control (C2) domains active in May–June 2024: iptv-checker[.]com, massiv-stream[.]net (AbuseIPDB report).
Note: Some details remain preliminary; full RAT capabilities are under investigation by several labs (Google TAG, June 2024).

Overlay Attacks Explained

Overlay attacks deploy a fake app interface atop legitimate apps, tricking users into entering sensitive data that is harvested by attackers.

Mechanism:

Exploits Android Accessibility API and/or SYSTEM_ALERT_WINDOW permission.
Can present convincing mimic screens for popular banking apps (Kaspersky, “Android Overlay Attacks”, 2022).
Typically activated when the user opens their real banking app—malware detects package name intent and displays a phishing overlay.
Accessibility abuse enables keylogging, screenshotting, and silent granting of additional privileges.

Capability limitations:

Overlays can be visually convincing but may fail to capture complex biometric data or advanced MFA unless further privileged access is granted.

Remote Access & Device Takeover

Findings:

Massiv’s samples support remote command execution, screenshotting, and credential theft, resembling limited RAT (Remote Access Trojan) functionality.
No evidence of full device shell or persistent root access as of [Malwarebytes’ May 2024 analysis].

Protocols:

TCP socket communication to hardcoded C2, typically on ports 8001–8080 (CERT Asia Pacific, "Mobile Banking RATs", June 2024).

Threat model:

Remote attacker can monitor app usage, intercept 2FA, and initiate unauthorized transactions if banking session is active.

Indicators of Compromise (IoCs) & Signs of Infection

Checklist for suspicion:

Unusual Accessibility prompts at installation.
Requests for Device Administrator rights (Android Settings > Security > Device admin apps).
Excessive battery drain, spikes in network activity.
Presence of unfamiliar apps:
- APK/package names flagged in reports include com.massiv.iptv, com.stream.overlaytv.
Unexpected overlays on banking/payment apps.
Suspicious notifications (e.g., “update required” from unknown apps).

IoCs:

Known malware C2:
- iptv-checker[.]com
- massiv-stream[.]net
Sample APK hash:
- SHA256: 0dd3a1235117a1c... (VirusTotal sample)

Note:

Review AbuseIPDB and VirusTotal for updated IoCs.

If You Suspect Infection: Immediate Actions

Disable side-loading:
- Go to Settings > Security > Unknown sources. Disable allow installs from unknown sources.
Review Accessibility & Device Administrator privileges:
- Settings > Accessibility: Remove unfamiliar services with access.
- Settings > Security > Device administrator: Revoke non-essential admin apps.
Uninstall suspicious apps:
- Settings > Apps > [Locate] > Uninstall. If uninstall fails, remove Device Administrator then retry.
Check Google Play Protect:
- In Play Store, tap Profile > Play Protect > Scan device for threats.
- Google Help: Play Protect
Factory Reset:
- If overlays, remote execution, or new admin rights persist after removals, perform a full factory reset:
- Settings > System > Reset > Factory reset (back up data first).
Report infection:
- Submit sample to VirusTotal, AbuseIPDB, and national CERT (US-CERT reporting portal).

Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

Banking App Recovery Checklist

If your banking credentials may have been compromised:

Contact your bank immediately:
- Use trusted channels (phone, online banking secure messaging).
- Major Bank Fraud Hotlines
Freeze affected accounts:
- Request blocks/freezes on debit/credit.
Change all passwords:
- Do so from a clean device—not your phone if infected.
Revoke saved credentials (Google, Apple, Samsung Pass, etc.):
- Log in to your password manager from a trusted device and rotate credentials.
Alert 2FA providers:
- Remove/reissue 2FA tied to compromised device (Authy, Google Authenticator guidance).
Monitor for fraud:
- Review account activity and enroll in alerts (Experian Identity Monitoring).

Official resources:

Enterprise/IT Security Guidance

Mobile security architecture recommendations:

Enforce app allow-lists (MDM, EMM platform).
Assume-compromised user model—never trust device state.
Monitor for suspicious permission grants/overlay activity via MDM logs.
Device attestation with SafetyNet/Play Integrity (Google SafetyNet docs).
FIDO/WebAuthn for strong banking authentication (FIDO Alliance guidelines).
Automate responses: detect and block accounts showing risky device signals.

Incident Response Playbook:

Isolate infected device, preserve forensic image.
Notify affected customers and regulatory bodies (GDPR/PCI DSS as applicable).
Coordinate with AV vendors for sample analysis and C2 takedowns.
Publish advisories internally and externally as required.

Timeline: Discovery, Analysis, and Updates

Date	Event
2024-04-22	First Massiv/IPTV overlay malware samples sighted in Eastern Europe (ESET Q2 report)
2024-05-12	Malwarebytes publishes initial technical analysis and IOCs
2024-05-15	CERT-UK advisory for mobile banking users (https://www.ncsc.gov.uk/report/android-iptv-malware)
2024-06-01	Google TAG releases additional observations on malware evolution
2024-06-04	This article reviewed and updated with latest threat intelligence

FAQ

Q1: Can an overlay attack steal my 2FA codes?
A: Yes, overlay malware can capture 2FA codes if they are displayed on-screen or entered into a phishing interface (Kaspersky, 2022). For SMS 2FA, malware with SMS permissions may also intercept codes.

Q2: How do I check if my phone is infected?
A: Review Accessibility and Device Administrator settings for unfamiliar entries, check for excessive battery/network usage, and scan with Play Protect. Look for any new apps not installed by you.

Q3: What should I do if Play Protect finds malware?
A: Immediately remove flagged apps, revoke privileged permissions, and consider a full factory reset if overlays or suspicious behavior persist.

Q4: Is Android more vulnerable to these attacks than iOS?
A: Yes, due in part to Android's openness and support for sideloading, which can expose users to more threats (Google TAG, 2023 Threat Report). iOS’s closed ecosystem makes overlay attacks less feasible.

Q5: Are free IPTV apps always dangerous?
A: Not always, but unofficial or pirated APKs are major vectors for malware campaigns (Malwarebytes, May 2024). Stick to trusted app stores.

Q6: What’s the global impact of mobile banking malware?
A: Banking fraud linked to mobile malware costs global FSI firms billions annually (Accenture Security Outlook 2024), impacting consumers via higher fees and reduced digital trust.

References & Further Reading

Legal Disclaimer

This article is for general guidance and informational purposes only. If you suspect a malware infection or banking fraud, contact your financial institution and a qualified security professional for advice tailored to your circumstances.

← More Articles