Cyber: Fake Iptv Apps Spread Massiv Android Malware Targeting Mobile...
Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that's designed to facilitate device takeover (DTO) attacks for financial theft.
The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity is primarily singling out users looking for the online TV applications.
"This new threat, while only seen in a limited number of rather targeted campaigns, already poses a great risk to the users of mobile banking, allowing its operators to remotely control infected devices and perform device takeover attacks with further fraudulent transactions performed from the victim's banking accounts," the Dutch mobile security company said in a report shared with The Hacker News.
Like various Android banking malware families, Massiv supports a wide range of features to facilitate credential theft through a number of methods: screen streaming through Android's MediaProjection API, keylogging, SMS interception, and fake overlays served atop banking and financial apps. The overlay asks users to enter their credentials and credit card details.
One such campaign has been found to target gov.pt, a Portuguese public administration app that allows users to store identification documents and manage the Digital Mobile Key (aka Chave Móvel Digital or CMD). The overlay tricks users into entering their phone number and PIN code, likely in an effort to bypass Know Your Customer (KYC) verification.
ThreatFabric said it identified cases where scammers used the information captured through these overlays to open new banking accounts in the victim's name, allowing them to be used for money laundering or getting loans approved without the actual victim's knowledge.
In addition, it serves as a fully functional remote-control tool, granting the operator the ability to access the victim's device stealthily while showing a black screen overlay to conceal the malicious activity. These techniques, realized by abusing Android's accessibility services, have also been observed in several other Android bankers like Crocodilus, Datzbro, and Klopatra.
"However, some applications implement protection against screen capture," the company explained. "To bypass it, Massiv uses so-called UI-tree mode -- it traverses AccessibilityWindowInfo roots and recursively processes AccessibilityNodeInfo objects."
This is done so as to build a JSON representation of visible text and content descriptions, UI el
Source: The Hacker News
