A newly discovered Android malware called Albiriox is being marketed under a malware-as-a-service (MaaS) model, boasting a “full spectrum” of capabilities aimed at facilitating on-device fraud (ODF), screen manipulation, and real-time control of infected devices.
This malware contains a hard-coded list of over 400 targeted applications, including those related to banking, fintech, payment processing, cryptocurrency exchanges, digital wallets, and trading platforms. According to Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia, Albiriox uses dropper applications disseminated through social engineering tactics and packing techniques to avoid static detection and deliver its payload.
Albiriox was initially introduced during a limited recruitment phase in late September 2025 before transitioning to a MaaS offering a month later. Evidence suggests that the threat actors are Russian-speaking, based on their activities in cybercrime forums, linguistic cues, and their infrastructure.
Prospective clients are granted access to a custom builder, which the developers claim integrates with a third-party crypting service called Golden Crypt to evade antivirus and mobile security measures. The ultimate aim of these attacks is to seize control of mobile devices for fraudulent purposes while remaining undetected.
At least one campaign has specifically targeted victims in Austria, utilizing German-language lures and SMS messages containing shortened links that direct users to fake Google Play Store listings for apps like PENNY Angebote & Coupons. Unsuspecting users who click the “Install” button on these deceptive pages end up downloading a dropper APK. Once installed and activated, the app requests permissions to install other applications masquerading as a software update, which leads to the activation of the primary malware.
Albiriox employs an unencrypted TCP socket connection for its command-and-control (C2) operations, enabling threat actors to remotely issue commands for full device control via Virtual Network Computing (VNC). This capability allows them to extract sensitive data, display black or blank screens, and adjust the device volume for stealth operations.
Additionally, it installs a VNC-based remote access module, granting attackers the ability to interact with compromised devices. One particular version of this VNC interaction utilizes Android’s accessibility services to reveal all user interface and accessibility elements displayed on the device screen.
“This accessibility-based streaming method is deliberately crafted to circumvent the restrictions of Android’s FLAG_SECURE protection,” the researchers noted.
Many banking and cryptocurrency applications now block functionalities like screen recording, screenshots, and display capture when a specific flag is enabled. By leveraging accessibility services, Albiriox circumvents these restrictions, allowing the malware to obtain a detailed view of the user interface without triggering the typical protections associated with direct screen capture techniques.
Like other Android banking trojans, Albiriox executes overlay attacks against a predefined list of target applications to facilitate credential theft. Furthermore, it can present overlays that simulate system updates or display a blank screen, enabling the execution of malicious activities discreetly in the background.
Cleafy has identified a newly altered distribution method that redirects users to a fraudulent website masquerading as PENNY. Victims are asked to enter their phone numbers to receive a direct download link via WhatsApp. Currently, this page only accepts Austrian phone numbers, which are subsequently transmitted to a Telegram bot.
Albiriox embodies key traits of modern on-device fraud (ODF) malware, such as VNC-based remote control, automation through accessibility services, targeted overlays, and dynamic credential harvesting. These features enable attackers to bypass standard authentication and fraud detection measures by operating directly within the victim’s legitimate session.
This disclosure aligns with the recent emergence of a new Android malware-as-a-service tool called RadzaRat, which masquerades as a legitimate file management app but provides extensive surveillance and remote control capabilities after installation. First advertised in an underground cybercrime forum on November 8, 2025, RadzaRat is marketed by the developer, known as ‘Heron44,’ as an easy-to-use remote access solution that requires minimal technical skill.
Key functionalities of RadzaRat include the ability to remotely manage file system access, allowing cybercriminals to browse directories, search for files, and download data from infected devices. It also leverages accessibility services for keylogging and utilizes Telegram for command-and-control (C2) operations. To maintain persistence, RadzaRat exploits permissions such as RECEIVE_BOOT_COMPLETED and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, enabling it to launch automatically after device restarts while avoiding battery restrictions.
The threat posed by RadzaRat is heightened by its disguise as a functional file manager, coupled with its extensive data exfiltration capabilities. Concurrently, fake Google Play Store landing pages for an app named “GPT Trade” have been linked to the distribution of BTMOB Android malware, known for abusing accessibility services for device unlocking and credential theft.
This malware, documented by Cyble in February 2025, utilizes social engineering tactics involving adult content lures to distribute a heavily obfuscated malicious APK. This APK requests sensitive permissions for phishing overlays, screen capture, malware installation, and file system manipulation.
Palo Alto Networks Unit 42 highlighted that this sophisticated distribution network employs a resilient, multi-stage architecture, utilizing commercial-grade obfuscation and encryption to conceal and dynamically connect to backend infrastructure. The lure sites display deceptive loading messages and conduct various checks to evade detection and analysis.
Source: thehackernews Edited by Bernie
