A new Android banking malware, which researchers named Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts.
The malware relies on screen overlays and keylogging to obtain sensitive data and can take remote control of a compromised device.
In a campaign observed by researchers at fraud detection and mobile threat intelligence company ThreatFabric, Massiv targeted a Portuguese government app that connects with Chave Móvel Digital - Portugal’s digital authentication and signature system.
The two service contain user data that could be used to bypass know-your-customer (KYC) verifications or to access banking accounts and other public and private online services.
Overlays used by Massiv
Source: ThreatFabric
“MTI research identified cases where new accounts were opened in the name of the victim (user of the infected device) in new banks and services (not used by the victim),” describes the ThreatFabric report.
“Since those accounts are fully under fraudster control, they can further use them as a part of money laundering scheme as well as getting loans and cashing out the money, leaving unsuspecting victim in debts in the bank they never opened account themselves.”
Massiv provides two remote control modes for its operators: a screen live-streaming mode that leverages Android’s MediaProjection API, and a UI-tree mode that extracts structured data from the Accessibility Service.
The latter includes visible text, interface element names, screen coordinates, and interaction attributes, allowing attackers to click buttons, edit text fields, and more.
... continue reading