“Albiriox Malware: A New Threat Targeting Android Users for Total Device Control”

A complex new Android malware category referred to as “Albiriox” has surfaced in the cybercrime sphere, providing sophisticated remote access functionalities as a Malware-as-a-Service (MaaS).

Discovered by analysts at Cleafy, the malware is crafted to perform On-Device Fraud (ODF) by giving attackers total control over compromised devices, allowing them to circumvent security measures and empty financial accounts.

Albiriox was first detected in September 2025 in exclusive underground forums, evolving from a private beta stage to a public commercial product by October.

The operation is suspected to be overseen by Russian-speaking cybercriminals who have vigorously promoted the tool. The service commenced with a subscription scheme, charging affiliates around $650 per month for access to the malware’s extensive toolkit.

Distinct from basic credential theft tools, Albiriox is built for live interaction. It utilizes a VNC (Virtual Network Computing) module that transmits the victim’s screen directly to the attacker.

This enables criminals to manually carry out banking fraud on the victim’s device, often without the user’s awareness, effectively bypassing device fingerprinting and two-factor authentication (2FA) mechanisms.

Two-Stage Infection Cycle

The proliferation of Albiriox depends on a deceptive two-step approach engineered to avoid detection. Initial campaigns targeted users in Austria with a counterfeit version of the popular “Penny Market” application. The infection cycle generally follows these phases:

1. Social Manipulation: Victims receive SMS notifications with shortened links claiming discounts or rewards, leading them to a bogus Google Play Store page.
2. Dropper Installation: The user downloads a dropper app (e.g., the counterfeit Penny app).
3. Payload Delivery: Upon installation, the dropper seeks “Install Unknown Apps” permissions and retrieves the actual Albiriox payload from a command-and-control (C2) server.

Recent versions have adapted to include WhatsApp-based enticements, requiring users to input phone numbers to receive download links, further refining targets to specific areas such as Austria.

Albiriox’s infrastructure emphasizes stealth and control. It employs “Golden Crypt,” a third-party encryption service, to make the malware Fully Undetectable (FUD) by static antivirus scanners. Once activated, it utilizes Accessibility Services to implement overlay attacks and keylogging.

The malware comes with a built-in target list of over 400 applications. This extensive list features prominent traditional banking applications, cryptocurrency wallets, and payment processors globally, Cleafy noted.

The subsequent table summarizes the technical profile of the Albiriox operations identified during the investigation.

Albiriox’s swift development cycle indicates it is positioning itself as a prominent tool for financial deception. Its capacity to integrate screen streaming with accessibility manipulation permits threat actors to function covertly behind black-screen overlays, rendering it a significant danger to financial institutions and Android users worldwide.

IOCs