Albiriox Malware-as-a-Service Targets Over 400 Apps with Advanced On-Device Fraud Capabilities
A new Android malware named Albiriox has emerged, offering a comprehensive suite of features designed to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. Distributed under a malware-as-a-service (MaaS) model, Albiriox poses a significant threat to mobile security.
Extensive Targeting Across Financial Applications
Albiriox is engineered to target a wide array of applications, with a hard-coded list encompassing over 400 apps. These include banking services, financial technology platforms, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms. This extensive targeting indicates the malware’s potential to compromise a vast number of users across various financial sectors.
Sophisticated Distribution and Evasion Techniques
The malware employs dropper applications distributed through social engineering tactics, often masquerading as legitimate apps. These droppers utilize packing techniques to evade static detection mechanisms, effectively delivering the Albiriox payload to unsuspecting users. Once installed, the malware requests permissions under the guise of software updates, facilitating its malicious activities.
Evolution from Limited Release to MaaS Offering
Initially advertised in a limited recruitment phase in late September 2025, Albiriox transitioned to a full-fledged MaaS offering by October 2025. Evidence suggests that the developers are Russian-speaking, based on their activity on cybercrime forums, linguistic patterns, and the infrastructure employed. Prospective clients are provided with a custom builder that integrates with a third-party crypting service known as Golden Crypt, designed to bypass antivirus and mobile security solutions.
Command-and-Control Mechanisms and Remote Control
Albiriox utilizes an unencrypted TCP socket connection for command-and-control (C2) operations, allowing threat actors to issue various commands remotely. These commands enable control over the device using Virtual Network Computing (VNC), extraction of sensitive information, display of black or blank screens, and volume manipulation to maintain operational stealth.
Exploitation of Accessibility Services
A notable feature of Albiriox is its installation of a VNC-based remote access module that leverages Android’s accessibility services. This approach allows threat actors to interact with the compromised device’s user interface and accessibility elements without triggering protections associated with direct screen-capture techniques. By exploiting these services, the malware can bypass Android’s FLAG_SECURE protection, which many banking and cryptocurrency applications use to block screen recording and screenshots.
Overlay Attacks and Credential Theft
Albiriox supports overlay attacks against its extensive list of target applications to steal user credentials. It can present overlays mimicking system updates or display black screens, enabling malicious activities to occur in the background without attracting user attention.
Targeted Campaigns and Distribution Methods
At least one initial campaign has explicitly targeted Austrian users by employing German-language lures and SMS messages containing shortened links. These links direct recipients to fake Google Play Store listings for apps like PENNY Angebote & Coupons. Users who click the Install button on these counterfeit pages are compromised with a dropper APK. Once installed and launched, the app prompts users to grant permissions to install additional apps under the pretense of a software update, leading to the deployment of the main Albiriox malware.
In a slightly altered distribution approach, users are redirected to a fake website impersonating PENNY, where they are instructed to enter their phone number to receive a direct download link via WhatsApp. This method further exemplifies the sophisticated social engineering tactics employed by the threat actors behind Albiriox.
Implications and Recommendations
The emergence of Albiriox underscores the evolving landscape of mobile malware and the increasing sophistication of threat actors. Users are advised to exercise caution when downloading applications, especially from links received via SMS or messaging apps. It is crucial to verify the authenticity of app sources and to be wary of granting extensive permissions to applications without thorough scrutiny.
Organizations should implement robust mobile security solutions capable of detecting and mitigating such advanced threats. Regular updates and patches, combined with user education on recognizing phishing and social engineering attempts, are essential components of a comprehensive defense strategy against malware like Albiriox.
