A new Android malware, Albiriox, has emerged in the cybersecurity landscape, marketed under a malware-as-a-service (MaaS) model. This sophisticated tool offers a comprehensive suite of features designed to facilitate on-device fraud (ODF), screen manipulation, and real-time interactions with compromised devices.
Features and Distribution Tactics
Albiriox comes equipped with a hard-coded list of over 400 applications, encompassing banking, fintech, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms. According to researchers from Cleafy—Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia—the malware employs dropper applications that are disseminated through social engineering tactics. These techniques, combined with advanced packing methods, help it evade static detection and successfully deliver its malicious payload.
Initially advertised in a limited recruitment phase in late September 2025, Albiriox transitioned to a full MaaS offering by October. The threat actors behind this malware appear to be Russian-speaking, as indicated by their activities on cybercrime forums and the linguistic nuances of their communications.
- Prospective customers are granted access to a custom builder that integrates with a third-party crypting service, known as Golden Crypt, to circumvent antivirus and mobile security solutions.
- The primary objective of these attacks is to gain control over mobile devices and execute fraudulent activities while remaining undetected.
One of the initial campaigns has notably targeted victims in Austria, utilizing German-language lures and SMS messages with shortened links that direct users to counterfeit Google Play Store listings for applications such as PENNY Angebote & Coupons. Unsuspecting users who click on the “Install” button on these deceptive pages inadvertently download a dropper APK. Upon installation, the app requests permissions under the pretense of a software update, leading to the deployment of the main malware.
Command-and-Control Mechanism
Albiriox operates through an unencrypted TCP socket connection for command-and-control (C2), enabling threat actors to remotely issue commands via Virtual Network Computing (VNC). This capability allows them to extract sensitive information, display black or blank screens, and adjust device volume for stealthy operations. Furthermore, a VNC-based remote access module is installed, granting attackers the ability to interact with compromised devices seamlessly.
The malware’s design cleverly utilizes Android’s accessibility services to bypass restrictions imposed by the FLAG_SECURE protection, which many banking and cryptocurrency applications employ to block screen recording and capture. This accessibility-driven streaming mechanism provides attackers with a comprehensive view of the user interface without triggering typical security alerts.
In addition to its remote control features, Albiriox supports overlay attacks targeting a predefined list of applications for credential theft. It can also create overlays that mimic system updates or display black screens, allowing malicious activities to proceed unnoticed.
- Cleafy researchers have noted a novel distribution strategy that directs users to a counterfeit PENNY website, where victims are prompted to enter their phone numbers to receive a download link via WhatsApp. Currently, this page only accepts Austrian phone numbers, which are subsequently exfiltrated to a Telegram bot.
Albiriox exemplifies the core characteristics of modern on-device fraud malware, including VNC-based remote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting. These functionalities empower attackers to bypass conventional authentication and fraud detection mechanisms by operating directly within the victim’s legitimate session.
Emerging Threats in the Cyber Landscape
The emergence of Albiriox coincides with the introduction of another Android MaaS tool, codenamed RadzaRat. This tool masquerades as a legitimate file management utility but unleashes extensive surveillance and remote control capabilities once installed. First advertised on November 8, 2025, in an underground cybercrime forum, RadzaRat is positioned as an accessible remote access solution requiring minimal technical expertise for deployment.
RadzaRat’s capabilities include orchestrating file system access, browsing directories, searching for specific files, and downloading data from compromised devices. It also exploits accessibility services to log keystrokes and utilizes Telegram for its command-and-control operations.
To ensure persistence, RadzaRat employs permissions such as RECEIVEBOOTCOMPLETED and RECEIVELOCKEDBOOTCOMPLETED, along with a dedicated BootReceiver component, to launch automatically upon device restart. Additionally, it seeks the REQUESTIGNOREBATTERYOPTIMIZATIONS permission to maintain its background activity without interruption.
The findings surrounding Albiriox and RadzaRat highlight a concerning trend in the democratization of cybercrime tools, posing significant threats to individual users and organizations alike. As these sophisticated malware solutions evolve, they underscore the urgent need for enhanced security measures and awareness in the digital landscape.
