A new Android malware, dubbed Albiriox, is now actively marketed under a malware-as-a-service (MaaS) model, offering a comprehensive suite of tools designed to facilitate on-device fraud (ODF), sophisticated screen manipulation, and real-time remote interaction with compromised devices. This sophisticated threat embeds a static list of over 400 target applications, encompassing a wide array of high-value targets such as banking platforms, financial technology services, cryptocurrency exchanges, and digital wallets. The malware is distributed through dropper applications, which are pushed via social engineering campaigns and employ advanced packing techniques to successfully evade static detection mechanisms and deliver the malicious payload onto the user’s device. Cleafy researchers identified that Albiriox was first advertised in a limited recruitment phase in late September 2025 before transitioning into a full MaaS offering just one month later. Evidence suggests that the individuals behind this operation are Russian-speaking, based on their activity patterns on cybercrime forums and their infrastructural choices.
Prospective customers of the Albiriox MaaS are provided with a dedicated custom builder designed to prepare the dropper application. The developers claim this builder integrates seamlessly with an external crypting service known as Golden Crypt, which is intended to help the resulting malicious application bypass various antivirus and mobile security solutions. The overarching objective of the Albiriox attacks is to seize complete control of the mobile device, allowing threat actors to execute fraudulent transactions and activities stealthily. An early, notable campaign specifically targeted victims in Austria, utilizing German-language lures delivered through SMS messages. These messages contained shortened links directing recipients to fake Google Play Store listings for seemingly legitimate apps, such as “PENNY Angebote & Coupons,” successfully tricking users into initiating the compromise.
Unsuspecting users who click the “Install” button on the fake app listing are compromised with a dropper APK. Once this dropper application is installed and executed, it employs a deceptive tactic: it prompts the user to grant it extensive permissions, disguising the request as a routine software update. This granted access is crucial, as it leads directly to the deployment of the main Albiriox malware payload. For its command-and-control (C2) communication, the malware utilizes an unencrypted TCP socket connection, which enables the threat actors to issue a variety of remote commands. These capabilities include taking full remote control of the device using Virtual Network Computing (VNC), extracting sensitive data, displaying black or blank screens to conceal activity, and even adjusting the device’s volume to high or low settings to maintain operational stealth.
Crucially, Albiriox installs a VNC-based remote access module, which provides the threat actors with the ability to remotely interact with the compromised phone’s interface. One specific version of this VNC mechanism cleverly exploits Android’s accessibility services to stream all user interface elements and accessibility information present on the device’s screen. This method is intentionally designed to circumvent the strict limitations imposed by Android’s FLAG\_SECURE protection, which is commonly used by banking and cryptocurrency applications to prevent screen recording, screenshots, and display capture. By leveraging accessibility services instead of direct screen-capture techniques, the malware can achieve a complete, “node-level view” of the interface without triggering any of the standard security protections associated with display capture.In line with other contemporary Android banking trojans, Albiriox is fully equipped to perform overlay attacks against its extensive hard-coded list of target applications, primarily for the purpose of credential theft.
Furthermore, it possesses the ability to serve custom overlays that mimic common system updates or simply display a black screen. This capability ensures that malicious activities can be quietly executed in the background without raising suspicion from the user. Cleafy also documented an alternative distribution technique where users are redirected to a fake website designed to look like the PENNY site. On this page, victims are instructed to input their phone number to receive a direct download link via WhatsApp; this fake site currently only accepts Austrian phone numbers, and the submitted information is immediately exfiltrated to a Telegram bot controlled by the threat actors.
Reference:
