Massiv When your IPTV app terminates your savings

src/mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md

@@ -285,6 +285,27 @@ private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
 
 This is the basis for commands like `txt_screen` (one-shot) and `screen_live` (continuous).
 
+### UI-tree export to bypass FLAG_SECURE / screenshot protections
+Textual dumps can be upgraded into structured DTO telemetry that works even when `FLAG_SECURE` or in-app screenshot blocks are present:
+- Iterate `getWindows()` → `AccessibilityWindowInfo.getRoot()` and recursively walk `AccessibilityNodeInfo` children.
+- Keep only “important” nodes: **visible** and (`isClickable` || `isEditable` || `getText()` / `getContentDescription()` is non-empty).
+- Serialize JSON fields per node: `text`, `contentDescription`, `className`, **bounds** (`Rect`), and state flags (`clickable`, `editable`, `focused`, `enabled`). Include parent/child indices to preserve layout context.
+- Ship the JSON snapshot over the WebSocket C2 so the operator can target elements by attributes/coordinates even without pixels.
+
+This UI-tree mode is a common fallback for DTO malware to maintain control of banking apps that forbid MediaProjection / screen-capture.
+
+### Massiv-style WebSocket DTO command set
+ThreatFabric’s **Massiv** DTO uses a WebSocket channel for both UI telemetry (screen stream or UI-tree JSON) and operator commands. Useful primitives to replicate in test harnesses / RAT PoCs:
+- **Global navigation**: `back`, `home`, `overview`, `power`, `wakeUp`.
+- **Gesture/typing**: `click`, `swipe`, `swipeUp`, `swipeDown`, `keypress`.
+- **Visibility control**: `enableGraphics` / `disableGraphics` to toggle MediaProjection streaming; `blackscreen` / `disableBlackscreen` to hide activity and mute.
+- **Overlay/phishing control**: `inject`, `injectPattern`, `injectPin`, `updateInjects`, `get_files_zip` to fetch/refresh HTML overlays (including lock-screen PIN/pattern phishing).
+- **Permission/persistence prompts**: `requestAdmin`, `requestBattery`, `requestGoogleProtect`, `requestInstallPermission`, `requestFileAccess`, `requestWriteSettings`, `requestMiuiBackground`, `requestPush`, `requestReadSms` (open the corresponding settings UI so Accessibility can auto-click consent).
+- **Payload & data ops**: `installApk`, `uninstallApp`, `fileManager`, `clipboard`, `check`, `push`, `get_backup_addresses`, `log`.
+- **Connection management**: `reinitialization` / `renicilization` to force WebSocket reconnects.
+
+Pairing these verbs with the UI-tree export allows deterministic remote operation (e.g., click by coordinates from `bounds` or target nodes by `text`/`contentDescription`) even when screenshots are blocked.
+
 ## Device Admin coercion primitives
 Once a Device Admin receiver is activated, these calls increase opportunities to capture credentials and maintain control:
 
@@ -327,5 +348,6 @@ Background and TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-t
 * [Android accessibility documentation – Automating UI interaction](https://developer.android.com/guide/topics/ui/accessibility/service)
 * [The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)](https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats)
 * [GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)](https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay)
+* [Massiv: When your IPTV app terminates your savings](https://www.threatfabric.com/blogs/massiv-when-your-iptv-app-terminates-your-savings)
 
 {{#include ../../banners/hacktricks-training.md}}