A new Android malware named Albiriox now appears under a malware-as-a-service (MaaS) model, and it offers a “full spectrum” of features that facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.
“The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload,” Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.
Albiriox first surfaced during a limited recruitment phase in late September 2025, and the operators later shifted it to a MaaS model a month afterward. Moreover, the threat actors reveal Russian-speaking origins through their activity on cybercrime forums, linguistic patterns, and supporting infrastructure.
Prospective customers receive access to a custom builder that, per the developers’ claims, integrates with a third-party crypting service known as Golden Crypt to bypass antivirus and mobile security solutions.
The attacks ultimately aim to seize control of mobile devices and conduct fraudulent actions while staying under the radar. Additionally, at least one initial campaign explicitly targets Austrian victims by using German-language lures and SMS messages with shortened links that lead recipients to fake Google Play Store listings for apps like PENNY Angebote & Coupons.
Unsuspecting users who click on the “Install” button on the lookalike page trigger a dropper APK. Once they install and launch the app, it prompts them to grant permissions to install apps under the guise of a software update, which then deploys the main malware.
Albiriox communicates through an unencrypted TCP socket connection for command-and-control (C2), and this setup allows threat actors to issue various commands that remotely control the device using Virtual Network Computing (VNC), extract sensitive information, serve black or blank screens, and adjust the volume for operational stealth.
It also installs a VNC-based remote access module that enables threat actors to interact with compromised phones. One version of the VNC-based interaction mechanism uses Android’s accessibility services to display all user interface and accessibility elements present on the device screen.
“This accessibility-based streaming mechanism is intentionally designed to bypass the limitations imposed by Android’s FLAG_SECURE protection,” the researchers explained.
“Since many banking and cryptocurrency applications now block screen recording, screenshots, and display capture when this flag is enabled, leveraging accessibility services allows the malware to obtain a complete, node-level view of the interface without triggering any of the protections commonly associated with direct screen-capture techniques.”
Like other Android-based banking trojans, Albiriox supports overlay attacks against a hard-coded list of target applications for credential theft. Furthermore, it can present overlays that mimic a system update or a black screen to enable malicious activities in the background without attracting attention.
Cleafy also observed a slightly altered distribution approach that redirects users to a fake website masquerading as PENNY, where victims input their phone numbers to receive a direct download link via WhatsApp. The page currently only accepts Austrian phone numbers, and the attackers exfiltrate the entered numbers to a Telegram bot.
“Albiriox exhibits all core characteristics of modern on-device fraud (ODF) malware, including VNC-based remote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting,” Cleafy said. “These capabilities enable attackers to bypass traditional authentication and fraud-detection mechanisms by operating directly within the victim’s legitimate session.”
The disclosure aligns with the emergence of another Android MaaS tool codenamed RadzaRat, which impersonates a legitimate file management utility and then unleashes extensive surveillance and remote control capabilities post-installation. The RAT first appeared in an underground cybercrime forum on November 8, 2025.
“The malware’s developer, operating under the alias ‘Heron44,’ has positioned the tool as an accessible remote access solution that requires minimal technical knowledge to deploy and operate,” Certo researcher Sophia Taylor said. “The distribution strategy reflects a troubling democratization of cybercrime tools.”
Central to RadzaRat, the tool remotely orchestrates file system access and management, allowing cybercriminals to browse directories, search for specific files, and download data from the compromised device. It also abuses accessibility services to log users’ keystrokes and uses Telegram for C2.
To achieve persistence, the malware uses RECEIVE_BOOT_COMPLETED and RECEIVE_LOCKED_BOOT_COMPLETED permissions, along with a dedicated BootReceiver component, to ensure automatic execution upon a device restart. Additionally, it seeks the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission to exempt itself from Android’s battery optimization features that may restrict its background activity.
“Its disguise as a functional file manager, combined with extensive surveillance and data exfiltration capabilities, makes it a significant threat to individual users and organizations alike,” Certo said.
The findings coincide with fake Google Play Store landing pages for an app named “GPT Trade” (“com.jxtfkrsl.bjtgsb”), which distribute the BTMOB Android malware and a persistence module referred to as UASecurity Miner. BTMOB, first documented by Cyble in February 2025, abuses accessibility services to unlock devices, log keystrokes, automate credential theft through injections, and enable remote control.
Meanwhile, social engineering lures using adult content fuel a sophisticated Android malware distribution network that delivers a heavily Obfuscated Malicious APK Requesting sensitive permissions for Phishing Overlays, screen capture, Installing other malware, and Manipulating the file system.
“It employs a resilient, multi-stage architecture with front-end lure sites that use commercial-grade obfuscation and encryption to hide and dynamically connect to a separate backend infrastructure,” Palo Alto Networks Unit 42 said. “The front-end lure sites use deceptive loading messages and a series of checks, including the time it takes to load a test image, to evade detection and analysis.”
Source: TheHackerNews
Read more at Impreza News
