A new Android malware named Albiriox is being touted as based on a malware-as-a-service (MaaS) model that offers a “full range” of features that facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
The malware is embedded with a hardcoded list of over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.
“This malware combines a dropper application distributed through social engineering lures with packing techniques to evade static detection and deliver its payload,” said Clafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia.
Albiriox was first advertised as part of a limited adoption phase in late September 2025, and is said to have transitioned to a MaaS service a month later. There is evidence to suggest that the threat actors speak Russian based on their activity on cybercrime forums, language patterns, and the infrastructure used.
The developer claims that prospective customers will be provided access to a custom builder that integrates with a third-party encryption service known as Golden Crypt in order to bypass antivirus and mobile security solutions.
The ultimate goal of the attack is to gain control of the mobile device and perform fraudulent activities under the radar. At least one early campaign explicitly targeted Austrian victims using German-language enticements and SMS messages containing shortened links that directed recipients to fake Google Play Store app listings for apps such as PENNY Angebote & Coupons.
Unsuspecting users who click the “Install” button on a similar page are infected with the dropper APK. Once the app is installed and launched, it asks for permission to install the app under the guise of a software update, which leads to the main malware deployment.
Albiriox uses unencrypted TCP socket connections for command and control (C2), allowing attackers to issue various commands to remotely control devices using virtual network computing (VNC), extract sensitive information, display a black or blank screen, and increase or decrease the volume for operational stealth.
It also installs a VNC-based remote access module that allows attackers to interact with compromised phones remotely. One version of the VNC-based interaction mechanism leverages Android’s accessibility services to display all user interface and accessibility elements that are present on the device screen.
“This accessibility-based streaming mechanism is intentionally designed to circumvent the limitations imposed by Android’s FLAG_SECURE protection,” the researchers explained.
“Many banking and cryptocurrency applications currently block screen recording, screenshots, and display captures when this flag is enabled, so by leveraging accessibility services, malware can obtain a complete node-level view of the interface without triggering protections commonly associated with direct screen capture techniques.”
Like other Android-based banking Trojans, Albiriox supports overlay attacks against a hard-coded list of target applications for credential theft. Additionally, it can act as an overlay that mimics system updates or a black screen, allowing it to perform malicious activities in the background without attracting attention.
Clafy said he also observed a slightly modified distribution approach that redirected users to a fake website masquerading as PENNY. There, victims are instructed to enter their phone number to receive a download link directly via WhatsApp. This page currently only accepts Austrian phone numbers. The number you enter will be extracted to the Telegram bot.
“Albiriox exhibits all the core characteristics of modern on-device fraud (ODF) malware, including VNC-based remote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting,” said Clafy. “These capabilities allow attackers to bypass traditional authentication and fraud detection mechanisms by operating directly within a victim’s legitimate session.”
This disclosure coincides with the emergence of another Android MaaS tool, codenamed RadzaRat, that impersonates a legitimate file management utility and unlocks extensive monitoring and remote control capabilities after installation. The RAT was first advertised on underground cybercrime forums on November 8, 2025.
“The malware’s developer, operating under the alias ‘Heron44,’ positions the tool as an accessible remote access solution that requires minimal technical knowledge to deploy and operate,” said Certo researcher Sophia Taylor. “This distribution strategy reflects the issue of democratizing cybercrime tools.”
At the heart of RadzaRat is the ability to remotely adjust file system access and management, allowing cybercriminals to browse directories, search for specific files, and download data from compromised devices. It also exploits accessibility services to record users’ keystrokes and uses Telegram for C2.
To achieve persistence, the malware uses the RECEIVE_BOOT_COMPLETED and RECEIVE_LOCKED_BOOT_COMPLETED permissions along with a dedicated BootReceiver component to ensure it launches automatically on device reboot. Additionally, it asks for the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission to exclude itself from Android’s battery optimization features that may limit background activity.
“Its ability to masquerade as a functional file manager, combined with extensive monitoring and data extraction capabilities, makes it a significant threat to both individual users and organizations,” Certo said.
This discovery was revealed after a fake Google Play Store landing page (“com.jxtfkrsl.bjtgsb”) for an app named “GPT Trade” distributed BTMOB Android malware and a persistence module called UASecurity Miner. BTMOB was first documented by Cyble in February 2025 and is known to abuse accessibility services to unlock devices, log keystrokes, automate credential theft through injection, and enable remote control.
Social engineering lures using adult content as decoys also underpin sophisticated Android malware distribution networks that deliver highly obfuscated malicious APK files that request sensitive permissions for phishing overlays, screen captures, installation of other malware, and file system manipulation.
“We use commercial-grade obfuscation and encryption to hide separate back-end infrastructure and employ a resilient, multi-tiered architecture with front-end lure sites that connect dynamically,” said Palo Alto Networks Unit 42. “The front-end decoy site uses a series of checks, including fraudulent loading messages and the time it takes for test images to load, to evade detection and analysis.”
Source link
