Massiv When your IPTV app terminates your savings

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.threatfabric.com/blogs/massiv-when-your-iptv-app-terminates-your-savings
• Blog Title: Massiv: When your IPTV app terminates your savings
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (new subsection: "Android AccessibilityService abuse / DTO remote control"; include UI-tree export to bypass FLAG_SECURE screenshot protections and operator command primitives over WebSockets)

🎯 Content Summary

What the post is about
ThreatFabric documents a new Android banking/Device Takeover (DTO) malware family named Massiv (named after one of its components). It has been seen in a limited number of targeted campaigns, but already linked to confirmed fraud cases in southern Europe. A key theme is a delivery trend: masquerading droppers as IPTV apps, leveraging the fact that IPTV users often side-load APKs from websites/Telegram (i.e., outside Goog...

🔧 Technical Details

IPTV-lure dropper + WebView distraction
A common social-engineering delivery pattern for Android malware is to masquerade as an IPTV app that users expect to install via side-loading. The dropper can keep the victim unsuspecting by opening a WebView that displays a real IPTV website while a separate malicious payload is installed/running in the background, increasing dwell time and reducing immediate suspicion.

Device Takeover via AccessibilityService + WebSocket C2
A robust DTO design can be built by pairing an AccessibilityService (to observe UI state and perform global actions / interactions) with a WebSocket command channel used to receive operator commands (e.g., home/back/recents, coordinate clicks/swipes, keystroke injection) and to exfiltrate UI telemetry back to the operator, enabling near-real-time remote operation of the victim device.

Bypassing screenshot protections with “UI-tree mode”
If an app blocks...

🤖 Agent Actions

Updated android-app-pentesting/accessibility-services-abuse.md with a new UI-tree export subsection explaining how Accessibility-based DTO malware bypasses FLAG_SECURE using JSON UI models, plus detailed Massiv-inspired WebSocket command primitives for remote control, overlays, permission coercion, and session management. Added the Massiv blog to references. No tests were run (documentation-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.threatfabric.com/blogs/massiv-when-your-iptv-app-terminates-your-savings

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new subsection: "Android AccessibilityService abuse / DTO remote control"; include UI-tree export to bypass FLAG_SECURE screenshot protections and operator command primitives over WebSockets)".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0