WORLD CUP 2026 · STREAMING MALWAREJune 11, 20268 min read

Watching the World Cup on a free stream? The app you install to watch can quietly empty your bank account.

The tournament kicked off on 11 June, and millions are searching two words: "watch free." Security researchers at Kaspersky say that search is now one of the fastest routes to a drained bank account — because some of the apps promising a free World Cup stream are Android banking trojans wearing a football shirt. Here is exactly what they do, and how to watch without handing your phone to a thief.

Massiv + Perseus
Banking-trojan families in fake stream apps (Kaspersky)
Cerberus
The leaked trojan Perseus is built on
Not on Play
Every malicious stream app is sideloaded past warnings
The OTP
Codes intercepted from texts + authenticator apps
The short answer

The free World Cup stream that asks you to "install our app" is the scam. Kaspersky tied fake World Cup streaming apps to Android banking trojans — the Massiv and Perseus families — that are not on Google Play, so installing one means clicking past Android's own security warnings. Once on the phone, they abuse accessibility permissions to overlay fake bank-login screens, record what you type, intercept the one-time passcodes from your texts and authenticator app, and even read notes apps for cryptocurrency recovery phrases. Watch only through the licensed broadcaster in your country; never sideload a streaming app; and if you already installed one, assume your banking and crypto are compromised and act immediately.

If you have already installed a "free stream" app and want the emergency steps, skip to if you already installed one. On a banking trojan, minutes matter.

The honest appeal of a free stream is real. The match is on, the official broadcast costs money or isn't available where you are, and a search for "watch World Cup 2026 free" returns a thousand confident-looking results. That gap — between what you want to watch and what you can legally reach in one click — is exactly the gap criminals built for. They are not selling football. They are selling a reason to install their software.

What Kaspersky actually found

According to Kaspersky, fake World Cup streaming apps are being used to deliver Android banking trojans from two families, Massiv and Perseus. The crucial detail is where they live: not on Google Play. To get one onto your phone you have to sideload it — download the file from a web page and tell Android to install it despite the warning. That warning is the security working; the scam's entire job is to talk you past it.

Once installed, Kaspersky says the malware abuses Android's accessibility tools — the powerful settings designed to help people who use screen readers — to effectively take over the device. From there it can:

Overlay fake bank-login screens. It waits for you to open a real banking app, then lays a pixel-matched fake login on top to capture your username and password as you type them.
Log every keystroke. Anything you type — passwords, card numbers, messages — can be recorded.
Intercept your one-time codes. It reads the one-time passcodes arriving by text and from authenticator apps, which is how it walks straight through two-factor authentication.
Control the screen remotely. Operators can drive the phone from afar, approving transfers in the background.
Hunt for crypto recovery phrases. Perseus — built on the leaked source code of an older trojan called Cerberus — goes further and reads note-taking apps for saved passwords and cryptocurrency recovery phrases.
Read that capability list again with one question in mind: what does a video player need any of it for? Nothing. Overlaying other apps, reading your texts, controlling the screen, scanning your notes — none of it has anything to do with showing you a football match. The permissions are the product. The stream, if it ever appears at all, is set dressing.
SCAM · EXAMPLE — DO NOT INSTALL
fifa-stream-hd​[.]live
WATCH FIFA WORLD CUP 2026
FREE · LIVE · 4K HD
⬇ Install HD Stream App (.apk) to watch
"Allow installs from this browser" · "Turn on Accessibility for the player"
A recreated example of a fake "free stream" page (links defanged, labelled). The tells: it isn't the broadcaster, it pushes an .apk download instead of the official store, and it asks you to enable sideloading and accessibility access — the exact permission the Massiv/Perseus trojans abuse.

Why "not on Google Play" is the whole tell

The single most useful fact in this entire piece is that the malicious apps are not in the official stores. That is not a coincidence or an oversight — it is structural. Google Play and the App Store scan and gate what they host; a banking trojan can't survive there for long. So the scam's first and most important move is to get you off the store and into a sideloaded install, because that is the only place its software can run.

Which gives you a rule that needs no technical knowledge at all: if watching requires you to download an app from anywhere other than the official store, or to switch on "install unknown apps," the answer is no. A legitimate broadcaster never asks for either. The moment a "free HD stream" page sends you to an APK file, you already have all the information you need.

How to watch safely — including for free

Free and safe are not opposites here. Many countries' rights-holders broadcast World Cup matches at no cost — over the air or through their own verified apps. The trick is reaching them the right way:

1Watch only through the licensed broadcaster in your country. Every match has an official rights-holder, and many show games free — over the air or through their own verified app and website. That is the only safe 'free stream.' Find your country's broadcaster and go to it directly; if you are unsure who holds the rights, that is a question to answer before you start searching, not after.
2Never sideload a streaming 'app' or APK. A real streaming service lives in the official App Store or Google Play, or plays straight in your browser. Any page telling you to download an 'HD stream' file, enable 'install from unknown sources,' or 'allow installs from this browser' is delivering malware, not football. The download is the scam.
3Never grant a video player accessibility access. Accessibility permission lets an app see and control your whole screen — it is what the Massiv and Perseus trojans abuse to overlay fake bank logins and read your codes. No legitimate streaming app needs it. If a 'player' demands accessibility, screen-overlay, or device-admin rights, stop and delete it.
4Keep 'install unknown apps' switched off. On Android, the setting that allows sideloading is off by default for a reason. Leave it off. If a stream page walks you through turning it on, it is walking you through disabling the exact protection standing between you and the trojan.
5If you already installed one, cut it off and move your money. Airplane-mode the phone, uninstall the app (safe mode, or factory-reset if it resists). From a separate trusted device, change banking, email and crypto passwords, revoke sessions, and call your bank. For self-custody crypto, move funds to a new wallet with a new recovery phrase — assume the old one is gone.
6Report it, and ignore the 'recovery' offer that follows. Report to the FBI's IC3 (ic3.gov) in the US, Report Fraud in the UK, or your national authority elsewhere. Then block anyone who contacts you promising to retrieve the money for an upfront fee — that is the second scam, and it hunts people who were just hit.

If you already installed one — the emergency steps

If you sideloaded a "free stream" app and granted it permissions, treat it as an active compromise of your bank and crypto, and move in this order:

1Put the phone in airplane mode now, to cut the malware off from its operators while you work.
2Uninstall the app. If it resists removal, boot into safe mode to delete it, or factory-reset the device — a reset is drastic but decisive if you can't be sure it's gone.
3From a different, trusted device, change the passwords for your banking, email and crypto-exchange accounts, and revoke all active sessions. Don't do this on the infected phone.
4Call your bank, report the device as compromised, and ask them to watch for and block unauthorised transfers. Turn off any phone-approval that the trojan could now answer for you.
5If you hold self-custody crypto, assume your recovery phrase is stolen: move the funds to a brand-new wallet with a new phrase immediately. A seed phrase the malware has already read cannot be made safe.
6Report it — to the FBI's IC3 at ic3.gov in the US, to Report Fraud in the UK, or via our international reporting directory.
Then expect the second scam. People who have just lost money to a trojan are a fresh, valuable target for a recovery scam — someone who contacts you claiming they can trace and return your stolen funds for an upfront fee. No legitimate body charges you upfront to recover money. The recovery offer is not the rescue; it is the same predators coming back for what's left.
From the field. What makes this one land is that it doesn't feel like a scam while it's happening — it feels like a small, ordinary compromise. You wanted to watch a match. You clicked "install anyway" the way you've clicked past a hundred warnings before. Nothing dramatic happened; maybe the stream even buffered for a second. The theft comes later, quietly, through screens you never see. That's the whole design: make the dangerous step feel boring, so you take it without a second thought. The defence is to make one step non-negotiable instead — official broadcaster, official store, no exceptions.

The one rule

If you take one habit from this piece, take this: no football match is worth sideloading an app for. Watch through your country's licensed broadcaster, install only from the official store, and never grant a "player" accessibility access. The free stream that needs you to install its app was never about the stream.

Installed something to watch, and now worried? Tell us before you panic.

Describe what you installed and what you've done since. A real expert reviews every case and replies within 24 hours — free, confidential, nothing to sell.

Submit a free case review →World Cup ticket scams →

Common questions about World Cup streaming scams

Are free World Cup streaming apps safe to install?

No — treat any app that promises a free World Cup live stream and asks you to install it from outside the official app stores as hostile. Kaspersky tied fake World Cup streaming apps to Android banking trojans built to steal money. Because these apps are not on Google Play, installing one means deliberately clicking past Android's own security warnings. Licensed broadcasters stream through their own verified apps and websites; they never need you to sideload an 'HD stream' file.

What are the Massiv and Perseus malware families?

They are two families of Android banking trojan that Kaspersky linked to fake World Cup streaming apps. Once installed, the malware abuses Android's accessibility tools to take control of the phone: it lays fake bank-login screens over the real banking apps, records what you type, intercepts one-time passcodes arriving by text and in authenticator apps, and can control the screen remotely. Perseus is built on the leaked source code of an older trojan called Cerberus and goes further still — reading note-taking apps for saved passwords and cryptocurrency recovery phrases.

How does a streaming app end up stealing my bank details?

The 'stream' is the bait; the permissions are the robbery. When you sideload the app it asks for accessibility access — the powerful setting meant for screen readers — framed as something the player 'needs.' Granting it lets the trojan see and control everything on screen. The next time you open your banking app, it silently overlays a pixel-matched fake login to capture your credentials, then intercepts the one-time code the bank texts you, so two-factor authentication doesn't save you. You may never see a match at all.

I installed a free World Cup stream app — what should I do now?

Assume your banking and crypto are compromised and act immediately. Put the phone in airplane mode, then uninstall the app (you may need to boot into safe mode or, if it resists removal, factory-reset the device). From a different, trusted device, change your banking and email passwords and your crypto-exchange logins, revoke active sessions, and contact your bank to flag the account. If you hold crypto in a self-custody wallet, move the funds to a new wallet with a brand-new recovery phrase — assume the old phrase is stolen. Then report it and ignore anyone offering to 'recover' your money for a fee.

How can I watch the World Cup safely — including for free?

Use the licensed rights-holder in your country — many broadcast matches free over the air or through their own verified app and website (for example public broadcasters in several markets carry games at no cost). Get those apps only from the official App Store or Google Play, and reach the websites by typing the broadcaster's address yourself. The rule is simple: legitimate streaming never requires you to sideload an APK, disable security settings, or grant accessibility permissions to a video player.

Sources & further reading

Claims in this piece are attributed to these sources. Click any of them to verify.

Kaspersky — Fake streaming apps spreading Android malwareFBI — Press Releases (World Cup fraud warning)FBI IC3 — Report Internet CrimeThe Hacker News — World Cup 2026 scams are live

Keep reading

WORLD CUP · TICKETS
World Cup 2026 ticket scams: the FBI warning, the pixel-perfect fake FIFA site, and how to buy safely
THE HONEST ODDS
Can you get your money back after a scam? The real recovery rates by payment method
THE SECOND SCAM
Recovery scams: why the people who lost money once get targeted again within days