Albiriox Malware: The New Android Threat Granting Full Device Control to Cybercriminals
A formidable new Android malware family, known as Albiriox, has surfaced, offering cybercriminals advanced remote access capabilities through a Malware-as-a-Service (MaaS) model. Discovered by researchers at Cleafy, Albiriox is engineered to execute On-Device Fraud (ODF), providing attackers with complete control over infected devices. This control enables them to bypass security protocols and siphon funds from victims’ financial accounts.
Emergence and Commercialization
Albiriox made its initial appearance in September 2025 within exclusive underground forums. By October, it transitioned from a private beta phase to a publicly available commercial service. The operation is believed to be orchestrated by Russian-speaking threat actors who have aggressively marketed the tool. The service operates on a subscription basis, charging affiliates approximately $650 per month for access to the malware’s comprehensive toolkit.
Advanced Capabilities
Unlike basic credential-stealing malware, Albiriox is designed for real-time interaction. It incorporates a Virtual Network Computing (VNC) module that streams the victim’s screen directly to the attacker. This feature allows cybercriminals to perform banking fraud manually on the victim’s device, often without the user’s knowledge. By operating in real-time, attackers can effectively circumvent device fingerprinting and two-factor authentication (2FA) protocols.
Two-Stage Infection Chain
The distribution of Albiriox employs a deceptive two-stage process aimed at evading detection. Early campaigns targeted users in Austria using a counterfeit version of the popular Penny Market application. The infection chain typically unfolds as follows:
1. Social Engineering: Victims receive SMS messages containing shortened links that promise discounts or prizes, redirecting them to a fake Google Play Store page.
2. Dropper Installation: The user downloads a dropper application, such as the fake Penny app.
3. Payload Delivery: Once installed, the dropper requests permissions to Install Unknown Apps and retrieves the actual Albiriox payload from a command-and-control (C2) server.
Recent iterations have evolved to include WhatsApp-based lures, requiring users to enter their phone numbers to receive download links. This tactic further filters targets to specific regions, such as Austria.
Technical Architecture and Evasion Techniques
Albiriox’s architecture emphasizes stealth and control. It utilizes Golden Crypt, a third-party crypting service, to render the malware Fully Undetectable (FUD) by static antivirus engines. Once active, it employs Accessibility Services to execute overlay attacks and keylogging.
The malware comes hardcoded with a target list of over 400 applications, encompassing major traditional banking apps, cryptocurrency wallets, and payment processors worldwide.
Technical Profile of Albiriox Operations
| Feature | Details |
|———————–|————————————————————————-|
| Malware Type | Android Banking Trojan / Remote Access Trojan (RAT) |
| Distribution Model| Malware-as-a-Service (MaaS) |
| Primary Tactics | On-Device Fraud (ODF), Overlay Attacks, VNC Streaming |
| Target Scope | 400+ Financial & Crypto Applications |
| Evasion Techniques| Golden Crypt obfuscation, JSONPacker, Two-stage dropper |
| Command & Control | Unencrypted TCP Socket with JSON-based commands |
Implications and Recommendations
Albiriox’s rapid development cycle suggests it is positioning itself as a dominant tool for financial fraud. Its ability to combine screen streaming with accessibility manipulation enables threat actors to operate invisibly behind black-screen overlays, making it a critical threat to financial institutions and Android users worldwide.
Indicators of Compromise (IOCs)
– C2 Server IP: 194.32.79.94 (Port: 5555)
– Delivery Domains:
– google-app-download[.]download
– google-get[.]download
– google-aplication[.]download
Protective Measures
To safeguard against Albiriox and similar threats, users are advised to:
– Exercise Caution with Links: Avoid clicking on links from unknown or untrusted sources, especially those received via SMS or messaging apps.
– Verify App Sources: Only download applications from official app stores and verify the authenticity of the app and its developer.
– Review Permissions: Be cautious of apps requesting excessive permissions that are not necessary for their functionality.
– Keep Devices Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
– Use Security Software: Install reputable antivirus and anti-malware software to detect and prevent infections.
By adhering to these practices, users can significantly reduce the risk of falling victim to Albiriox and other malicious software.
