Major football events consistently drive audiences toward streaming platforms. In Spain, with millions of football enthusiasts and where premium competitions such as the UEFA Champions League are tied to paid services like Movistar Plus, a portion of viewers continues to look for free alternatives.

In the period before the recent UEFA Champions League final between PSG and Arsenal, our MTI research team observed a clear increase in unofficial IPTV apps containing malware, notably apps masquerading as RojaDirecta apps for Android. Timing-wise this correlated with an increase in legal actions to take down websites promoting these apps.

With the World Cup approaching, similar patterns are expected to repeat at a larger scale, because the underlying issue is not limited to Spain. We are closely tracking similar campaigns targeting other countries in Europe, like for example Italy.
 

Opening the door for attackers

At the center of this trend is a simple but important shift in user behaviour: Users intentionally bypass official app stores, removing built-in protections, in order to access apps that offer pirated content – especially sports related.

This decision is what enables the rest of the attack chain.

In this case, attackers are not exploiting vulnerabilities. They exploit users, their desire for free content and their trust in alternative app stores and streaming apps. The following circumstances and trends stack up to further increase the fraud risk:

• Major live sporting events have shifted from free national broadcast networks to exclusive paid subscription and streaming services as media rights have skyrocketed.
• More third-party app stores have become available due to regulatory changes.
• Mobile is the fastest growing banking channel, with the Android operating system having the biggest market share in Spain (68% in April 2026).
• The amount of observed mobile banking malware families for Android is increasing year-over-year.
• Malware has gained more sophisticated capabilities, including full Device Takeover (DTO), credential theft (using overlays and keylogging), MFA bypass (intercepting SMS, push notifications and authenticator apps), and remote device control.

Increase in banking malware families and malicious apps masqueraded as IPTV apps over time.

Command-and-Control  (C2) panel of the Hook banking malware

RojaDirecta and the demand for free football

In Spain, RojaDirecta remains one of the most recognised names in free sports streaming. The platform itself does not host video content. It aggregates and organizes links to streams hosted elsewhere, presenting them in a convenient schedule format that is easy to navigate.

Because it facilitates access to copyrighted broadcasts without compensating rights holders, it has faced years of legal pressure. Many domains have been blocked in Spain, but demand has not disappeared. Instead, the ecosystem has expanded into mirror sites, clones, and mobile apps using similar branding. And that is where the risk becomes more concrete.

Example of an ad linking to malicious app masquerading as a RojaDirecta app

Example of a website stimulating installation of a malicious app masquerading as a RojaDirecta app

The critical step: Leaving official app stores

Unofficial RojaDirecta-style apps are not distributed through Google Play or other trusted marketplaces. Users typically encounter them on websites or ads and are asked to download and install them manually.

That step is crucial. By doing so, users:

• Bypass protections designed to screen apps for malicious behaviour.
• Accept installation warnings that would otherwise act as barriers.
• Grant permissions to the app that technically opens the door for attackers.

At this point, attackers do not need to exploit software vulnerabilities. The protections have already been removed by the user decision to install the app.

How criminals take advantage

Threat actors use this environment to distribute malware through apps that appear functional or familiar. The approach aligns closely with how users already behave when searching for free streams, especially during high-demand events like the Champions League final or the World Cup.

Common distribution methods include:

• Search results and ads leading to fake download pages
• Websites imitating RojaDirecta or similar platforms
• Social media promotions targeting football audiences

These pages are designed to look legitimate enough to complete a single action: installing the app. And because IPTV and similar apps are already associated with unofficial distribution, this step often does not raise concerns.

From streaming app to malware infection

Once installed, the app may offer limited or full app functionality for the user, while silently delivering a malicious payload. In recent campaigns observed in Spain (and also Italy), this has included banking malware from several powerful malware families like Massiv and Perseus.

Tools such as Zombinder are used to embed malicious code into otherwise usable applications. The result is an app that appears to work as expected while compromising the device in the background.

A typical sequence looks like this:

• A user searches for a free stream of a football match.
• A site referencing RojaDirecta appears in the results (this can be an ad).
• The user downloads and installs an app from that site.
• The app requests permissions that seem unrelated to streaming.
• Malware is deployed, often aimed at stealing money or collecting personal data.

One of the clearest warning signs is a request for Accessibility Services after opening the app. This level of access is not required for streaming and is frequently abused by banking malware to monitor input or interact with other apps.

Why major events amplify the issue

Events such as important football events create the same conditions each time:

• High user demand for free content: Users actively search for immediate access to content.
• Low awareness of mobile threats: Time pressure further reduces careful decision-making.
• Fragmented ecosystem: Malicious apps can be distributed outside the official app stores, and promoted through various search engines and social media.
• Large audiences: Bigger countries like Spain increase the reach and ROI of malware campaigns. Streams and streaming services are typically country-specific, so IPTV apps from smaller countries are likely less interesting to target for attackers.

In Spain, where access is tied to paid services, these factors contribute to a steady flow of users toward unofficial options. Attackers build their attacks on this predictability. Beyond individual users and fraud victims, this type of distribution model also has a broader impact across multiple sectors:

• Banks are affected through increased fraud losses and additional operational costs related to fraud response and customer reimbursements.
• Telecom providers see misuse of their infrastructure, particularly through SMS-based abuse and other network services, while also facing reputational issues when their brands are impersonated in campaigns.
• Streaming platforms are indirectly impacted as well, since unofficial apps frequently use their branding, which can weaken user trust and create confusion about what constitutes a legitimate service.

This also means that from a fraud prevention perspective, stronger collaboration between the silos of banks, telecom providers, streaming platforms, fraud experts, threat intelligence providers and social media companies would be beneficial.

Various mobile trojans impersonating big telecom and streaming brands

So what can you do?

The underlying issue is not only the existence of pirated content. It is the decision to access that content through unofficial apps, which removes the protections designed to keep devices and users safe.

Criminals rely on that step and structure their distribution around it.

For readers, a few points remain important:

• Avoid installing apps from ads, websites or direct download links.
• Treat any unofficial app using known brands like RojaDirecta as unverified.
• Be super cautious with permission requests, especially Accessibility Services.
• Expect more malware campaigns around major sports tournaments like the World Cup.
• As a bank, benefit from mobile threat intelligence to detect malicious APKs proactively.

The pattern is consistent. The combination of high-demand events, well-known brands, and user willingness to bypass safeguards in their desire for free content, continues to make piracy-related apps a practical channel for malware distribution.

Own Goal?

A final nuance worth highlighting is how these incidents are sometimes perceived. Because the initial infection often stems from downloading pirated applications, there can be a perception that the resulting fraud was largely avoidable by the user. In other words: an “own goal” for football enthusiasts who became fraud victims. However, this framing does not fully reflect the current threat landscape. Some even consider this perception to be pure victim blaming.

While users do make a conscious decision to bypass official distribution channels, the methods used to deliver malware are increasingly structured and designed to blend into expected user journeys, while abusing human trust and desire for free content. Moreover, one could argue that losing all your life savings to sophisticated criminals is disproportionate to the initial decision of installing an app with pirated content.

From a risk and response perspective, it is more accurate to view this piracy-driven attack vector as part of a broader fraud ecosystem, where user behaviour is one factor among many that can be abused by cunning criminals, rather than the defining cause.

Ultimately, criminals will always grab any low-risk opportunity to steal money or PII from victims, whether pirated content is in play, or not.