A Portuguese bank customer opens a familiar app on their Android phone, taps through what looks like a routine software update, and goes about their day. Hours later, their account balance is gone. That scenario has played out repeatedly in Portugal in recent months, according to reports circulating in threat-intelligence channels about a malware campaign referred to as Massiv. No named security research firm or individual researcher has publicly claimed credit for the discovery, and no formal report has been published with technical indicators. The malware does not steal passwords the traditional way. Instead, it is said to silently record the victim’s screen during banking sessions, capturing every PIN entry, every confirmation tap, and every one-time code as it appears.
The campaign is notable because of what it reportedly targets: Chave Movel Digital, or CMD, the Portuguese government’s mobile authentication system. CMD is not just a banking tool. It functions as a national digital identity key, letting citizens log into government portals, sign documents electronically, and authorize financial transactions from their phones. The official CMD portal describes it as a gateway to both public and private-sector services. Compromise a person’s CMD session, and you potentially unlock their tax records, social benefits, and bank accounts in one stroke.
How the attack reportedly works
The infection is said to begin with a fake app update. Victims see what appears to be a legitimate patch or new version of software already on their device. The prompts are designed to mimic the look and timing of genuine Android update notifications, and most people approve them without a second thought. Once installed, the malicious code reportedly stays quiet until it detects that the user has opened a banking app or another financial service that relies on CMD authentication.
At that point, the malware is said to begin recording the screen. It captures everything displayed during the login and transaction approval process, including the visual confirmation dialogs that CMD presents when a user authorizes a digital signature or completes a high-value action like a funds transfer. The result would be a frame-by-frame recording of the victim’s entire interaction with both the banking app and the government identity service.
Screen recording would be a deliberate choice over traditional keylogging. CMD’s authentication flow relies heavily on visual prompts, on-screen PIN pads, QR codes, and confirmation dialogs rather than typed text fields. A conventional keylogger would miss most of what matters. By recording the full screen, malware of this type can capture PINs, one-time codes, approval buttons, and the exact sequence of steps needed to replicate a legitimate session. This approach also scales across different banking apps without requiring the attackers to reverse-engineer each institution’s interface.
The technique is not unprecedented. Android banking trojans like Vultur, documented by ThreatFabric, have used screen-recording and remote-access capabilities to steal credentials from financial apps for years. What would distinguish the Massiv campaign, if the reports are accurate, is its focus on a national digital identity system rather than individual banking apps, which amplifies the potential damage from a single compromised session.
What has not been confirmed
Significant gaps remain in the public record. As of June 2026, no named security research firm or individual researcher has published a formal report on Massiv with malware samples, indicators of compromise, or detailed technical analysis. The campaign name and behavioral descriptions have circulated in threat-intelligence discussions, but without a credited source, the claims cannot be independently verified against a primary document.
No official statement from the operators of the CMD system has addressed the campaign. Portugal’s national cybersecurity center, CNCS, has not published a public advisory specifically naming Massiv. No Portuguese bank has disclosed related fraud incidents. Reports that victims discovered empty or significantly reduced account balances within hours of their banking sessions have not been traced to any named news outlet, official complaint channel, or public forum post. Without a verifiable source for those victim accounts, the claim about rapid financial losses remains unsubstantiated.
The precise mechanism by which the malware would evade Android’s built-in protections against unauthorized screen capture has not been documented in any open forum. Screen-recording trojans on Android are well established as a category, but the specific technical implementation attributed to Massiv has not been corroborated by a second research team or a government investigation.
The distribution channel is another open question. Fake app updates can arrive through compromised websites, phishing messages, third-party app stores, or malicious ad redirects. Which vector the Massiv campaign primarily uses has not been pinned down. That distinction matters because the defensive advice differs depending on whether users are being tricked through SMS links, browser pop-ups, or sideloaded APK files.
It is also unclear whether the malware specifically targets CMD confirmation dialogs or simply records everything on screen whenever a financial app is open. Without direct forensic evidence linking specific stolen CMD sessions to specific fraudulent transactions, the full picture remains incomplete.
The silence from official channels could mean several things: the campaign may be too new for institutions to have responded publicly, the scope may be smaller than initial reports suggest, or authorities may be investigating quietly to avoid undermining confidence in digital identity services. Readers should treat the current reporting as unverified until a named research organization or government body publishes corroborating findings.
How to protect yourself
Regardless of whether the Massiv campaign proves to be as widespread as early reports suggest, the defensive steps apply to any Android screen-recording trojan. For users in Portugal or anyone who relies on CMD for authentication, the most important step is also the simplest: do not install app updates from any source other than the Google Play Store or the official website of the app developer. Sideloaded APK files and update prompts that arrive through text messages, email links, or browser pop-ups are the primary delivery method for this type of malware.
Disabling the “Install unknown apps” permission for all apps on the device closes the most common entry point. On most Android phones, this setting is found under Settings > Apps > Special app access > Install unknown apps. Turning it off for every listed app forces all installations through vetted channels.
Google Play Protect, the built-in malware scanner on Android devices, should be enabled and kept up to date. While no public confirmation exists that Play Protect currently flags Massiv-related files, Google’s system is regularly updated to detect newly identified threats. Users can verify that Play Protect is active by opening the Google Play Store, tapping their profile icon, and selecting Play Protect.
Anyone who suspects they may have installed a suspicious update should check their recent app installations, uninstall any software they do not recognize, and run a reputable mobile security scanner such as those from Malwarebytes or Bitdefender. They should also review recent bank statements and CMD-backed transactions for unauthorized activity and contact their bank immediately if they spot transfers they did not initiate. In high-risk cases, requesting that CMD credentials be revoked and reissued through the official CMD portal can cut off attackers who may be holding recorded sessions for later use.
Why screen-recording trojans threaten national identity systems everywhere
Whether or not every detail of the Massiv reports holds up under scrutiny, the underlying threat model is sound. Governments across Europe and elsewhere are rolling out mobile digital identity systems designed to centralize access to public services, financial accounts, and legal documents. The European Union’s eIDAS 2.0 framework is pushing member states toward exactly this kind of unified mobile identity. If a screen-recording trojan can effectively compromise a national identity gateway in Portugal, the same approach could be adapted for similar systems elsewhere.
That does not mean every mobile identity system is equally vulnerable. But it does mean that the security of these systems depends not just on the strength of their cryptographic design but on the integrity of the devices people use to access them. A perfectly designed authentication flow is only as secure as the phone running it. Until mobile operating systems can reliably prevent unauthorized screen recording by malicious apps, any identity system that relies on visual confirmation screens will carry this risk.
For now, the most effective defense remains the oldest advice in mobile security: be skeptical of any update prompt that does not come from an official app store, and treat unexpected installation requests the same way you would treat an unexpected request for your bank password.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
