Earlier this month, we shared findings on an upcoming threat in Spain that used football piracy as a lure to distribute mobile malware. Since then, we have identified similar activity in several other countries, pointing to a wider and ongoing effort rather than a single regional case.

The timing is notable. The FIFA World Cup is still underway, drawing large global audiences and driving demand for free online streams based on pirated content. This creates the right conditions for attackers. While these campaigns are not limited to sports content, large tournaments act as a strong catalyst, increasing both reach and effectiveness of malicious campaigns. There is little reason to expect this to stop after the tournament as long as the Fraud Kill Chain (from initial ad upload to fraudulent transaction) is not disrupted.

Why Pirated Content, and Why IPTV Apps?

The appeal of pirated content is persistent, and IPTV apps play a central role in how it is accessed today.

• Broadcast rights are fragmented, spreading quality content across multiple platforms
• Subscription costs add up when users need access to several services
• Geo-restrictions limit availability depending on location
• Users often search last minute, just before matches begin

IPTV apps are presented as a simple and user-friendly. They promise access to live channels, sports, and premium content in one place, and – while the content is often pirated – this is actually very convenient for end users. This makes the IPTV apps attractive not only for sports, but for entertainment more broadly.

For attackers, this creates a reliable entry point. Instead of linking directly to a stream, they promote applications that appear to offer full IPTV functionality, but actually deliver malware.

Same Approach, Different Countries

We observed campaigns in Portugal, Italy, Turkey and India that follow the same basic flow as in Spain:

• Social media ads used for scale and targeting, and themed around popular content like football, premium movies or general IPTV access.
• Call-to-action (CTA) to a website mimicking a trusted source stimulating the installation of an app. The app requests permissions (usually for Accessibility Services) that are unrelated to streaming, putting the door wide open for the malware.
• Mobile malware is embedded in the downloaded application, often aimed at stealing money or collecting personal data.

The theme is often adapted to the region, but the structure remains consistent:

🇵🇹 Portugal – Antidot

• Ads lead to a website mimicking an official application store
• IPTV or streaming app presented as legitimate
• Payload: Antidot malware (discovered in 2025)

🇮🇹 Italy – Medusa

• Football-themed ads used as entry point
• Streaming-style application offered
• Website now offline, indicating short-lived infrastructure
• Payload: Medusa (discovered in 2022)

🇹🇷 Turkey – Suspected Malware Campaign

• Delivery pattern matches other regions
• Landing page unavailable during analysis
• Assessment: Highly likely malicious based on consistent indicators

🇮🇳 India – BTMOB

• Multiple ads observed, including football-related lures
• Redirection to a “Relaxation TV” website
• App positioned as a general streaming/IPTV solution
• Payload: BTMOB malware

Alignment with the Bigger Picture

In an earlier article we already showed that the number of malicious apps masquerading as IPTV apps is growing. Moreover, the newly discovered countries attacked by IPTV-driven malware campaigns also rank high in our general top list of Countries Most Targeted by Mobile Malware.

While the real-life impact of the malware campaigns depends on many factors for both attackers, victims and banks, this shows that criminals smell an opportunity in these countries.

So what can you do?

Like already mentioned in our original blog, the underlying issue is not only the existence of pirated content, a specific tournament or campaign per country. It is the decision to access that content through unofficial apps, which removes the protections designed to keep devices and users safe.

Criminals rely on that step and structure their distribution around it.

For banks, a few points remain important:

• Keep yourself updated on Mobile Malware trends.
• Get tactical intel on campaigns to understand when they're targeting your online channels, especially around major sports tournaments like the FIFA World Cup.
• Build a feedback loop between Mobile Threat Intelligence and Fraud Detection.
• Consider warning your customers about IPTV apps if you are actively targeted.
• Reach out to us if you require more insights on how to operationalize these processes.

The pattern is consistent. The combination of high-demand events, well-known brands, and user willingness to bypass safeguards in their desire for free content, continues to make piracy-related apps a practical channel for malware distribution.

Closing Remarks

What we initially saw in Spain is now visible across multiple regions. The campaigns are not identical, but they follow a shared approach of abusing people’s desire for free content and trust in open/unofficial marketplaces.

It is important to note that this is not only about sports content. The use of IPTV apps makes the model applicable to a wider audience. However, major sporting events such as the FIFA World Cup amplify its impact, providing the scale and urgency that attackers look for.

As the sports calendar continues, similar campaigns are likely to appear, adjusted to match the next event, trend or other premium (usually paid) content. The key takeaway is straightforward: this is a repeatable and expanding method, with IPTV apps at its core and major events acting as a trigger for wider spread.

Finally: criminals pay for ads that stay online on social media and search engines long enough to drive many users towards a landing page with a malicious app. It is known that some big tech companies generate billions in revenue through fraud- and scam-related ads, while at the same time (ironically) these ads lead to malicious apps that undermine a big tech company’s very own Android platform. While detecting mobile malware before the fraudulent transaction takes place is definitely possible, we also believe that there is a great opportunity in disrupting the fraud kill chain earlier: by increasing our collaborative efforts to prevent that criminal ads are displayed in the first place, or at least as short as possible. Because if victims don’t get lured into malicious landing pages through search engines and social media, it will become a lot more difficult for attackers to get their malware installed and create more fraud victims.