A new and sophisticated Android malware, dubbed Albiriox, has emerged, operating under a malware-as-a-service (MaaS) model. This threat is designed to facilitate on-device fraud (ODF) and screen manipulation, granting attackers extensive control over infected devices. Albiriox embeds a hard-coded list of over 400 applications, primarily targeting financial institutions, including banking, fintech, cryptocurrency exchanges, and payment processors.

Key Takeaways

• Albiriox is a new Android malware sold as a service (MaaS).

• It targets over 400 financial and cryptocurrency applications.

• The malware enables on-device fraud (ODF) and real-time screen control.

• Distribution involves social engineering, fake apps, and dropper APKs.

• Attackers use VNC and accessibility services for remote device manipulation.

• Evidence suggests Russian-speaking threat actors are behind the operation.

The Stealthy Invader: Albiriox's Arsenal

Albiriox operates by leveraging dropper applications distributed through social engineering tactics. These droppers, often disguised as legitimate apps like fake PENNY Angebote & Coupons, trick users into granting permissions, including the ability to install apps from unknown sources, under the guise of software updates. Once installed, the main Albiriox payload is deployed.

The malware utilizes a Virtual Network Computing (VNC)-based remote access module, allowing threat actors to remotely control infected devices. This includes real-time interaction, screen streaming, and the ability to execute commands. To bypass security measures like screen recording blocks, Albiriox exploits Android's accessibility services, enabling it to capture the entire user interface without triggering protections.

Evading Detection and Spreading

To evade static detection, Albiriox employs packing techniques and integrates with a third-party crypting service known as Golden Crypt. This makes the malware appear "Fully Undetectable" (FUD) to many antivirus and mobile security solutions. Initial campaigns have been observed targeting Austrian users, using German-language lures and SMS messages containing shortened links that lead to fake app listings.

Albiriox also supports overlay attacks, mimicking legitimate app interfaces to steal user credentials. It can display black screens or fake system updates to conceal malicious activities performed in the background. The malware communicates with its command-and-control (C2) servers using unencrypted TCP sockets, sending sensitive information and receiving commands.

Democratizing Cybercrime

The MaaS model behind Albiriox lowers the barrier to entry for cybercriminals, offering a sophisticated toolkit for a subscription fee. This approach allows less technically skilled actors to conduct complex financial fraud. The threat actors are believed to be Russian-speaking, based on their activity on cybercrime forums and linguistic patterns.

Albiriox's capabilities, including VNC-based remote control, accessibility-driven automation, and targeted overlays, enable attackers to bypass traditional authentication and fraud-detection mechanisms by operating directly within the victim's legitimate session. This makes it a significant threat to both individual users and financial institutions worldwide.

Sources

• New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control, The Hacker News.

• Emerging Android threat ‘Albiriox’ enables full On‑Device Fraud, Security Affairs.

• Albiriox Android Malware Targets 400+ Financial Apps for Remote Fraud, WebProNews.

• Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks |TechRadar, TechRadar.

• New Albiriox Malware Attacking Android Users to Take Complete Control of their Device, CybersecurityNews.