Albiriox: The New Android Malware-as-a-Service Threatening Over 400 Financial Apps
A sophisticated Android malware named Albiriox has emerged, operating under a Malware-as-a-Service (MaaS) model. This malicious software is designed to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. It specifically targets over 400 applications, including those related to banking, financial technology, payment processing, cryptocurrency exchanges, digital wallets, and trading platforms.
Discovery and Distribution
Albiriox was first identified in September 2025 during a limited recruitment phase. By October 2025, it transitioned into a MaaS offering, allowing cybercriminals to subscribe for a monthly fee of $720. Evidence suggests that the developers are Russian-speaking, based on their activities in cybercrime forums and linguistic patterns. Subscribers gain access to a custom builder integrated with a third-party crypting service known as Golden Crypt, which helps the malware evade detection by antivirus and mobile security solutions.
Technical Capabilities
Albiriox employs dropper applications distributed through social engineering tactics, such as SMS phishing and fake Google Play Store pages. These droppers prompt users to grant permissions under the guise of software updates, leading to the installation of the main malware payload.
Once installed, Albiriox establishes an unencrypted TCP socket connection for command-and-control (C2) communication. This allows attackers to remotely control the device using Virtual Network Computing (VNC), extract sensitive information, and manipulate the device’s screen and volume settings to operate stealthily.
A notable feature of Albiriox is its use of Android’s accessibility services to bypass the FLAG_SECURE protection, which many financial applications use to prevent screen recording and capture. By leveraging these services, the malware can obtain a complete, node-level view of the interface without triggering standard security protections.
Additionally, Albiriox supports overlay attacks against a hard-coded list of target applications to steal user credentials. It can display overlays mimicking system updates or black screens, allowing malicious activities to occur in the background without user awareness.
Initial Campaigns and Targeting
Initial campaigns have targeted Austrian users through German-language lures and SMS messages containing links to fake Google Play Store listings for apps like PENNY Angebote & Coupons. Users who clicked on the Install button were led to download a dropper APK, which, once installed, prompted them to grant permissions for app installation under the pretense of a software update, ultimately deploying the main malware.
Another observed distribution method involved redirecting users to a counterfeit website impersonating PENNY, where victims were asked to enter their phone numbers to receive a download link via WhatsApp. The page accepted only Austrian phone numbers, and the entered numbers were exfiltrated to a Telegram bot controlled by the attackers.
Security Implications
The emergence of Albiriox underscores the evolving threat landscape in mobile cybersecurity. Its advanced capabilities, including real-time device control and evasion of traditional security measures, pose significant risks to individual users and financial institutions worldwide.
Preventive Measures
To mitigate the risk of Albiriox infections, users are advised to:
– Download apps only from official sources like the Google Play Store.
– Be cautious of unsolicited messages containing links or prompts to install applications.
– Regularly update their devices and applications to the latest versions.
– Utilize reputable mobile security solutions to detect and prevent malware infections.
By adhering to these practices, users can enhance their security posture against emerging threats like Albiriox.
