Streaming Trap: researchers warn of banking trojans hidden in counterfeit IPTV apps

Cybersecurity experts are sounding an alarm over a "disturbing" surge in mobile malware disguised as legitimate IPTV streaming services. On February 19, 2026, threat intelligence firm ThreatFabric detailed the discovery of a sophisticated new Android trojan dubbed Massiv, which targets users who search for free or premium TV channels outside of official app stores.

The campaign highlights a growing trend where hackers exploit the "gray area" of streaming piracy - where users already expect to sidestep security warnings - to perform complete device takeovers and drain bank accounts.

The "Massiv" campaign: Targeting Southern Europe

The most recent and severe case involves the Massiv trojan, which has been aggressively spreading through Spain, Portugal, France, and Turkey over the last six months.

To lure victims, attackers create professional-looking websites or send SMS phishing links promoting "IPTV24" or "Free Premium TV" apps.

Once a user sideloads the initial app, it prompts them to install an "essential update." This update is actually the Massiv payload, which immediately requests Accessibility Service permissions.

In Portugal, researchers found the malware specifically targeting gov.pt and the Chave Móvel Digital (a digital identity system). By intercepting PINs and using fake screen overlays, the hackers opened new bank accounts and took out fraudulent loans in the victims' names, leaving them in massive debt.

The "Klopatra" incident

Another high-profile case emerged late in 2025 involving a fake app branded as Mobdro Pro IP TV + VPN.

Researchers at Cleafy found that this app was a "repackaged" version of a legitimate player, injected with the Klopatra banking trojan, a malware that allows hackers to stream the victim's screen in real-time.

If the victim opens a banking app, the hacker can see exactly what they are doing and even "interact" with the device remotely to authorize transfers while the user sees nothing but a black screen.

Why IPTV is the perfect "Trojan Horse"

Security analysts note that IPTV is uniquely effective for malware distribution for three reasons:

• Inherent trust deficit: Because many IPTV services are technically illegal or "unofficial," users are already accustomed to ignoring Google Play Protect warnings and "sideloading" apps from unknown sources.

• Longevity: Unlike a fake "Utility" app that a user might delete after one use, a streaming app stays on the device for months, providing a long-term foothold for the malware.

• Access permissions: Many legitimate media players require high-level permissions to function (like storage or overlaying other apps), making it easier for malicious apps to ask for the same access without raising suspicion.

How to avoid the trap

Researchers stress that "free" premium content almost always comes with a hidden cost. To stay safe:

• Avoid sideloading: Never install an .apk file sent via SMS, Telegram, or downloaded from a random website.

• Check the developer: Before downloading a "Smarters" or "IPTV Player" from the Play Store, verify the developer name against the official company website.

• Limit accessibility services: If a TV app asks for permission to "observe your actions" or "retrieve window content," it is almost certainly malicious.