THREAT REPORT - ANDROID BANKING TROJAN

The "free World Cup 2026 stream" app that empties your bank and your crypto wallet

Researchers found fake free streaming apps, many pretending to be RojaDirecta, carrying the Massiv and Perseus Android banking trojans. They abuse Accessibility, draw fake bank login screens over your real apps, grab your one-time codes, and read your notes for crypto recovery phrases.

SB

SafeBrowz Threat Research Security ResearchJune 14, 20269 min read

Why this is spreading right now

The 2026 FIFA World Cup is live. It runs from June 11 to July 19, 2026, across the United States, Canada, and Mexico, the biggest edition ever. That is exactly the window scammers planned for.

On June 5, 2026, The Hacker News reported that World Cup 2026 scams were already live, pulling on research from mobile security firms ThreatFabric and Pradeo. Among the threats: a spike in malicious unofficial streaming apps, many of them impersonating RojaDirecta, a well-known sports-streaming brand. These apps do not show football. They carry Android banking trojans.

Two malware families are named. Massiv turned up first, in fake apps aimed at users in France, Spain, Portugal, and Turkey. Then came Perseus, a more advanced trojan built on the leaked source code of the older Cerberus malware. Perseus does everything a banking trojan does, and then goes further, which is the part that matters if you hold any crypto.

The lure is everything you would expect. "Watch the World Cup free." "Live HD, no subscription." Sponsored posts, fake fan accounts, and ad-laden streaming sites push a download link. The Hacker News noted more than 1,700 fake FIFA-related accounts were identified, the vast majority on Facebook and Instagram, all funnelling fans toward fake streams, fake bets, and fake "World Cup jobs." The streaming-app version is the one that ends with a drained account.

What the fake "free stream" app actually does

You tap a link on a "free World Cup stream" site or in an ad. Instead of a video, you get an APK file, an Android app installer that did not come from the Play Store. To install it you have to allow "install unknown apps" and tap past Android's warning that this app could harm your device. That warning is correct.

The first thing the app asks for is Accessibility access. Accessibility is a powerful Android feature built for users who need screen readers and assistive control. Malware abuses it because, once granted, it can read everything on your screen, tap buttons on your behalf, and grant itself more permissions without you touching the phone again. The app dresses this up as "needed to play the stream." It is not. As the researchers put it, a streaming app asking for Accessibility "has no honest reason to need it."

From there, the trojan does four things, in roughly this order:

• Overlay fake bank logins. When you next open your real banking app, the trojan draws a pixel-perfect fake login screen on top of it. You type your username and password into the fake screen. The trojan keeps them.
• Intercept your one-time codes. It reads incoming SMS and pulls the OTP codes from your text messages and authenticator notifications, the exact second factor meant to stop account takeover. With your password and your code, the attacker logs in as you.
• Take remote control. Through Accessibility, it can navigate apps, approve prompts, and move money while the phone looks idle in your pocket.
• Read your notes (Perseus). Perseus specifically scrapes note-taking apps, Google Keep, Samsung Notes, Evernote, OneNote, for saved passwords and, critically, crypto recovery and seed phrases. Anyone who has ever pasted their 12 or 24 words into a note "just for safekeeping" has handed Perseus the keys to every wallet that phrase controls.

That last point is the crypto-drainer crossover. A banking trojan that reads your notes is also a wallet drainer. If your seed phrase is in a notes app, it is gone the moment Perseus runs, and there is no chargeback, no support desk, and no reversal on-chain. We cover the aftermath in depth in what to do when your crypto seed phrase is stolen.

How to spot the fake stream before you install anything

If you have a suspicious "watch live" link, you can test the page it points to right here. Paste it below and the 3-layer engine returns a verdict in seconds, before you ever reach a download button.

The download domains for this scam are short-lived and rotate constantly, so we are not naming a single live one. But the shape is always the same. The lure pages use names like worldcup-livestream-free[.]com, fifa2026-stream[.]app, or rojadirecta-worldcup[.]net, hosting a "download to watch in HD" button that serves an APK rather than a video. The official surfaces are different and few: fifa.com for the tournament, play.google.com for any genuine Android app, and your country's actual rights-holding broadcaster.

Red flags that mean walk away

• You have to download an app to watch. Real broadcasters stream in your browser or through their own app on the Play Store or App Store. A standalone "stream player APK" is the trap.
• The file is an APK from outside the Play Store. If you had to enable "install unknown apps" or tap past a "this app could harm your device" warning, stop. That warning is the truth.
• The app demands Accessibility access. This is the single clearest tell. A video player never needs to read your screen or tap on your behalf. Accessibility is for assistive tools, not streams.
• It also wants SMS, "display over other apps," or device-admin rights. SMS access lets it steal your OTP codes. Overlay permission lets it draw fake bank screens. No streaming app needs either.
• It came from a sponsored post, a fan account, or a comment reply. More than 1,700 fake FIFA accounts were pushing these. A "free stream" promoted in a DM or ad is not a broadcaster.
• The site promises something nobody else offers. "Free HD, every match, no subscription" exists to get the install. The real rights cost broadcasters money; nobody gives the full tournament away through a random app.

What to do if you already installed one

Move quickly and assume the worst, because Accessibility-grade malware can act faster than you can.

Cut its access first. Put the phone in airplane mode to stop it talking out, then go to Settings and revoke the app's Accessibility permission, then uninstall the app. If it resists uninstalling (some block the button via Accessibility), boot into Safe Mode first, which disables third-party apps, then remove it.

Assume your banking and OTP are compromised. From a different, clean device, change your online-banking password and call your bank's fraud line to flag the account and watch for unauthorized transfers. Re-enroll your authenticator app from scratch on the clean device. A factory reset of the infected phone is the safest way to be sure the trojan is gone.

If you hold crypto, treat every seed phrase that ever touched that phone as burned. If your recovery phrase was in a notes app, or you ever typed it on that device, Perseus may already have it. Move your funds to a brand-new wallet with a brand-new seed phrase generated on a device that was never infected. Our seed-phrase-stolen recovery guide has the full 24-hour checklist, and ignore anyone who offers paid "fund recovery," that is a second scam.

Report it. In the US, file with FBI IC3 and report the fraud to the FTC. Report the app and the fake accounts to the platform that hosted them so the takedown pipeline catches up.

How to actually watch the World Cup safely

The honest answer is less exciting than "free HD everything," but it keeps your bank and your wallet intact. Watch through the official rights-holder in your country, reached from your own bookmark or app store, never from an ad or a search-result link. Check the match schedule and the list of official broadcast partners at fifa.com. If you want it on your phone, install the broadcaster's real app from play.google.com or the App Store, where Google and Apple screen for this exact class of malware. No legitimate way to watch the World Cup involves sideloading an APK and granting it Accessibility. None.

For the wider picture of ticket fraud, fake giveaways, and phishing around the tournament, see our complete World Cup 2026 scams guide and the breakdown of free-stream scam sites.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The malware itself is an Android APK, but it has to get onto your phone first, and it almost always travels through a web page: the "free stream" landing site with the download button. That page is where SafeBrowz steps in, before you ever reach the APK.

• Layer 1 - Local detection: 60+ URL patterns and a 550+ brand database run in the browser before the page renders. A "free World Cup stream" lure trips several signals at once: an event or streaming-brand keyword (World Cup, FIFA, RojaDirecta) on a domain that is not an official one, the fake-download and APK-serving pattern, and lookalike or newly-registered hosts.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists server-side. Malware-distribution domains surface on these feeds, and a brand-new host with no history is itself a weighted signal.
• Layer 3 - AI deep scan (Premium): AI content analysis (via our proxy, 100+ languages) reads the page the way a person would and catches novel variants no blocklist has yet, the "watch free in HD" promise next to a download-an-app prompt, the streaming-brand impersonation, and the mismatch between an unofficial domain and an official-looking offer, then returns a danger verdict in seconds.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

Can a free World Cup streaming app really give my phone a virus?

Yes, if you install it from outside the Play Store. The Hacker News reported on June 5, 2026 that fake free streaming apps impersonating services like RojaDirecta carry the Massiv and Perseus Android banking trojans. Once installed, the app abuses Android Accessibility to take over the phone, overlays fake bank login screens, intercepts your one-time SMS and authenticator codes, and Perseus reads note-taking apps for saved passwords and crypto recovery phrases. None of these apps are on Google Play, so installing one means tapping past Android's warning that the app could harm your device.

Why does a streaming app ask for Accessibility permission?

Because it is malware. A real video player has no honest reason to need Accessibility, which is an Android feature built for screen readers and assistive control. Banking trojans abuse it because, once granted, they can read everything on your screen, tap buttons on your behalf, and grant themselves further permissions without you touching the phone. Researchers call the Accessibility request the single clearest red flag. If a "stream" app asks for it, deny it, uninstall the app, and watch through an official broadcaster instead.

How does the trojan steal my OTP and 2FA codes?

After it gains Accessibility access, the trojan reads incoming SMS and pulls the one-time codes from your text messages and authenticator notifications. It pairs those with the bank username and password it captured through a fake login screen overlaid on your real banking app. With both your password and your second-factor code, the attacker can log in and move money as if they were you. SMS-based OTP is especially exposed, which is one reason an app-based authenticator on a clean device is safer, but no second factor survives a trojan that already controls the phone.

Can this malware steal my crypto?

Yes. Perseus specifically reads note-taking apps, Google Keep, Samsung Notes, Evernote, OneNote, for saved passwords and crypto recovery or seed phrases. If your wallet's seed phrase is stored in any notes app on the infected phone, the attacker can recreate your wallet on their own device and drain it. There is no reversal on-chain. Never store a seed phrase in a notes app, a photo, or any cloud-synced text. If you suspect infection, move your funds to a new wallet with a new seed phrase generated on a clean device immediately.

How do I watch the World Cup 2026 safely?

Watch through the official rights-holding broadcaster in your country, reached from your own bookmark or from an official app store, never from an ad, a DM, or a search-result link. Check the schedule and official broadcast partners at fifa.com. If you want it on a phone, install the broadcaster's real app from Google Play or the App Store, where the app is screened for malware. No legitimate way to watch involves sideloading an APK or granting Accessibility access. If an offer requires either, it is the scam.

What should I do if I already installed a fake World Cup stream app?

Put the phone in airplane mode, then revoke the app's Accessibility permission in Settings and uninstall it, using Safe Mode if it blocks removal. From a separate clean device, change your banking password and call your bank's fraud line. Re-enroll your authenticator on the clean device. A factory reset is the safest way to be sure the trojan is gone. If you hold crypto, treat any seed phrase that touched the phone as compromised and move funds to a new wallet now. Report the app to FBI IC3 and the FTC, and report the fake accounts to the platforms that hosted them.

Last updated 2026-06-14