Normal view

Received — 8 June 2026 Kaspersky official blog

How fake Android IPTV apps are stealing users’ money and data | Kaspersky official blog

Threat actors are already gearing up for this year’s biggest football (soccer) event, the World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Massiv banking Trojan disguised as IPTV apps

For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasn’t the only malware leveraging this tactic — several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and Türkiye.

In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didn’t get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.

Of course, the most interesting activity happened out of the user’s sight. These are some of the features the malware did have:

  • Displaying fake windows on top of legitimate ones: fake forms for entering bank details or signing in to official services, as shown in the screenshot below.
  • Activating a keylogger: recording and transmitting screen keyboard taps to the attackers.
  • Hijacking control of the compromised device.
Massiv Trojan steals Chave Móvel Digital data

The Massiv banking Trojan mimics the interface of the Portuguese government app Chave Móvel Digital in a fake pop-up window, looking even more convincing than the official version from Google Play. Source

Perseus steals valuable information from users’ notes

In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.

Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.

Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices — a topic we’ve covered in detail across several of our posts.

Fake IPTV app used for distributing Perseus

An example of a malicious APK disguised as Roja Directa TV, another IPTV app. Source

By abusing Accessibility Services, Perseus gains remote control over the victim’s device. Here’s what it can do:

  • Continuously capture and exfiltrate screenshots.
  • Send a structured map of the device’s UI for remote manipulation.
  • Mimic taps, swipes, text input, long presses, and other UI interactions.
  • Turn on the screen, launch apps, and block them from running.
  • Trigger a pitch-black screen overlay to hide its activities.
  • Log keystrokes.

On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.

All of these capabilities help criminals drain football fans’ money not just from various banking services, but from cryptocurrency apps as well.

How not to let cybercrooks ruin your World Cup

The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this year’s premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch the  matches safely?

  • Don’t download apps from unofficial stores.
  • Even when downloading an app from an official store — since malware occasionally slips through the cracks there, too— read the reviews carefully. Users who have been burned by fakes and malware often leave comments to warn others.
  • Install a robust security app to keep all your devices safe from malware.
  • Avoid storing passwords or other sensitive information in note-taking apps. To ensure your data and finances stay secure, use a reliable password manager. By the way, Kaspersky Password Manager includes an encrypted note-taking feature, allowing you to store your valuable information safely.

You can’t even watch TV safely anymore these days! Check out other threats facing TV lovers:

Received — 24 May 2026 Kaspersky official blog

Breaking down the new Qualcomm chip vulnerability | Kaspersky official blog

Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.

What is BootROM?

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.

This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.

Emergency Download Mode as an entry point

The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.

Sahara is implemented directly within the ARM PBL (Primary Boot Loader) — the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.

The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.

Write-what-where: the core of the vulnerability

In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.

Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.

Which devices are affected

The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 — every single version released to date, until the vulnerability is patched by the manufacturer.

These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones, while the SDX50 is used in automotive control units.

How vulnerable devices get attacked

The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:

  • Smartphone repairs at third-party repair shops, where the phone is left for several hours
  • Customs checkpoints in certain countries, where devices are withheld, inspected, and then returned
  • Lost and found scams, where your phone is stolen, tampered with, and then mysteriously found
  • Corporate espionage via an insider or a rogue employee

With just a few minutes of physical access to the device an attacker can plant a backdoor so deep inside that standard research tools won’t even detect it in most cases.

Why there’s no patch — and what to do

Qualcomm was notified of the discovery in March 2025 and confirmed the vulnerability in its chips. To identify it, the vendor reserved CVE-2026-25262, and on April 20, 2026, Kaspersky ICS CERT published technical information on the vulnerability and recommendations for users.

Qualcomm included this vulnerability in its May security bulletin. While fixing already-made devices is fundamentally impossible, the company promised to make all future chips without this vulnerability.

If you currently own a device with an affected chip, use our recommendations below to help mitigate the risk of infection.

  • Enforce strict physical control: don’t leave your devices unattended, especially when traveling or on business trips.
  • Choose only authorized service centers for repairs and maintenance.
  • Regularly update your firmware — this won’t patch the BootROM vulnerability, but it can eliminate many related vulnerabilities at higher levels.
  • Use a Kaspersky for Android on your device. This will safeguard your gadget from other threats that, combined with this vulnerability, could lead to unpredictable consequences.

If you notice that your gadget with a vulnerable Qualcomm chip starts acting up — overheating when idle, reporting unexpected spikes in network traffic, or exhibiting strange app behavior — you may have fallen victim to this vulnerability. You can wipe the malicious code and reset your device to its baseline state simply by completely cutting its power. This means either pulling the battery or letting it drain all the way to zero until the gadget shuts down entirely. In this case, the malicious code will most likely not persist on the device — during our research, we were unable to confirm that it could achieve persistence in non-volatile memory.

Want to learn more about severe vulnerabilities in Android phones? Check out these posts:

Received — 21 May 2026 Kaspersky official blog

Malicious TV boxes: how a cheap “SuperBox” turns your home into a proxy node for cybercriminals | Kaspersky official blog

20 May 2026 at 17:35

Netflix, Apple TV+, Disney+, Hulu, Amazon Prime, YouTube Premium… The average law-abiding family today pays for five to 10 subscriptions just to watch their shows of choice, with the monthly bill easily crossing the hundred-dollar mark. It’s no surprise, then, that social media and online marketplaces are seeing a surge in demand for the “magic boxes” that popped up at the end of 2025: Android-powered TV boxes that promise to unlock thousands of channels and every streaming service subscription-free for a one-time purchase.

Ads for these devices are flooding TikTok and Instagram: smiling influencers unbox the SuperBoxes, plug them into a TV, and browse endlessly through channels. It looks like the ultimate life hack against subscription fatigue, right? In reality, it’s one of the easiest ways to invite a botnet into your home network.

Screenshot of a TikTok video showing a SuperBox in action

A promotional video on TikTok explaining how great it is when the cheese is free you can just go ahead and cancel all your subscriptions

What’s wrong with these cheap TV boxes?

Stories about malicious TV boxes have surfaced before, but right now, their marketing has reached a truly alarming scale.

At the end of 2025, analysts examined several models of the popular SuperBox device available from major retail stores and online marketplaces. The findings were deeply concerning: immediately upon powering up, the devices began pinging the servers of the Chinese messaging app Tencent QQ, as well as the Grass proxy service — effectively renting out the owner’s internet bandwidth to third parties.

Inside the firmware, researchers discovered applications completely uncharacteristic of a media player: a network scanner, a traffic analyzer, and tools for DNS hijacking. Consequently, the device not only streams pirated content but also scans the local network for other targets (including industrial SCADA interfaces), and stands ready to participate in DDoS attacks. The SuperBoxes were also found to contain folders with the telltale name “secondstage”, a textbook indication of multi-stage malware.

More recently, in April 2026, the Darknet Diaries podcast featured an interview with a security researcher known by the alias D3ada55, who shared plenty of intriguing details about these boxes — including the fact that they were still openly sold on major platforms like Amazon, Walmart, and Best Buy.

The infection chronicles: BADBOX to Keenadu

The SuperBox case is far from the only instance where Android devices have been turned into botnet nodes — or sold infected right out of the box. Here’s a look at the most recent cases:

  • BADBOX 2.0. In July 2025, Google filed a lawsuit against the operators of a botnet that compromised over 10 million Android devices — mostly cheap TV boxes, tablets, and projectors lacking Google Play Protect certification. As we reported earlier, BADBOX 2.0 specifically targets TV boxes, operating simultaneously as a proxy network and an ad fraud engine.
  • Kimwolf. In December 2025, the QiAnXin XLab team uncovered a DDoS botnet that had hijacked around 1.8 million Android devices. The infected hardware included generic models from off-brand manufacturers sporting high-profile names like TV BOX, SuperBox, XBOX, SmartTV, and others. The infection footprint was massive, with compromised devices shipped worldwide. Among the hardest-hit countries were Brazil, India, the U.S., Argentina, South Africa, the Philippines, and Mexico.
  • Keenadu. Our experts discovered this malware lurking in the firmware of brand-new devices back November 2025, though it didn’t gain widespread attention until after we published a study about it in February 2026. Keenadu masquerades as legitimate system components, embedding itself even into facial-recognition unlock apps, potentially granting attackers access to biometrics, banking data, and personal messages.

All of these stories share the same origin: the Triada Trojan, first documented by our researchers back in 2016 and dubbed at the time “one of the most advanced mobile Trojans”. Over the past decade it has evolved from a standard piece of malware into a modular backdoor baked directly into firmware during manufacturing.

How the infection scheme works

Manufacturers of cheap TV boxes cut corners on absolutely everything: Google Play Protect certification, firmware audits, and security updates. Many of these devices run on the Android Open Source Project without any security guarantees whatsoever. Somewhere along the supply chain — whether at the factory, through a middleman, or at a distributor — a backdoor gets injected into the firmware image. Our experts suspect that the manufacturer itself might not even be aware of the compromise.

The sheer scale of the infection turns millions of identical boxes into the perfect foundation for a botnet: every compromised device represents a unique IP address that can be rented out to anyone. Botnet operators like Kimwolf monetize this not only through distributed DDoS attacks but also by reselling the bandwidth of infected smart TVs and streaming boxes.

What this means for you

An infected TV box sits right in your living room, connected to your home Wi-Fi. That means it can see smartphones running banking apps, network-attached storage (NAS) units holding family archives, IP cameras, smart locks, work laptops, and any other the devices connected to your Wi-Fi network.

With this kind of beachhead inside your home network, an attacker can intercept unencrypted traffic, spoof DNS requests, scan ports, and hunt for vulnerabilities on neighboring devices. On top of that, they can use your IP address for fraudulent activity. As a result, in the best-case scenario, your IP will end up blacklisted, and legitimate services will start blocking you for suspicious activity; in the worst-case scenario, law enforcement could come knocking on your door.

How to spot a potentially dangerous gadget

You should be on alert if a device:

  • Is sold under a no-name brand like T95, X96Q, MX10, TV BOX, SuperBox, or some such
  • Promises free lifetime access to paid premium services for a one-time fee
  • Requires you to disable Google Play Protect, or install third-party APK files during the initial setup
  • Lacks Play Protect certification entirely
  • Is promoted through aggressive spam campaigns on social media

How to avoid hosting a botnet node

  • Buy certified TV boxes that feature Google Play Protect, or purchase devices directly from reputable telecom operators and internet service providers.
  • Isolate all smart home devices. Set up a separate Wi-Fi network on your home router for TV boxes, cameras, smart speakers, robot vacuums, and similar gear, while keeping smartphones, NAS units, and computers on the main network. This prevents malware from spreading to your critical gadgets.
  • Regularly update the firmware on all your devices, and don’t forget about your router — it’s another vulnerable link in the chain.
  • Remove any applications from your Android TV box that you didn’t install yourself, especially alternative app stores, Wi-Fi “boosters”, and “system cleaners”.
  • Monitor your traffic. Modern routers and Kaspersky Premium can display which devices are connecting to where. Frequent connections from a media player to servers in China are a major security red flag.
  • Install Kaspersky Premiumon all your devices — it protects against Trojans, and blocks the phishing pages often used to distribute infected APK files.
  • Don’t disable Google Play Protect, and avoid installing APKs from shady sources — this is the primary infection vector that bypasses the official app store.
  • If in doubt, return the TV box. A cheap streaming device isn’t worth risking your biometrics, banking data, or the reputation of your IP address.

Want to know how else to protect your smart home devices? Read more in our related posts:

❌