New Albiriox Malware Attacking Android Users to Take Complete Control of their Device

A sophisticated new Android malware family dubbed “Albiriox” has emerged on the cybercrime landscape, offering advanced remote access capabilities as a Malware-as-a-Service (MaaS).

Identified by researchers at Cleafy, the malware is designed to execute On-Device Fraud (ODF) by granting attackers full control over infected devices, allowing them to bypass security measures and drain financial accounts.

Albiriox first appeared in September 2025 within exclusive underground forums, transitioning from a private beta phase to a public commercial offering by October.

The operation is believed to be managed by Russian-speaking threat actors who have aggressively marketed the tool. The service was launched with a subscription model, charging affiliates approximately $650 per month to access the malware’s comprehensive toolkit.

Unlike simple credential stealers, Albiriox is engineered for real-time interaction. It leverages a VNC (Virtual Network Computing) module that streams the victim’s screen directly to the attacker.

This allows criminals to perform banking fraud manually on the victim’s device, often while the user is unaware, effectively circumventing device fingerprinting and two-factor authentication (2FA) protocols.

Two-Stage Infection Chain

The distribution of Albiriox relies on a deceptive two-stage process designed to evade detection. Early campaigns targeted users in Austria using a fraudulent version of the popular “Penny Market” application. The infection chain typically follows these steps:

1. Social Engineering: Victims receive SMS messages with shortened links promising discounts or prizes, redirecting them to a fake Google Play Store page.
2. Dropper Installation: The user downloads a dropper application (e.g., the fake Penny app).
3. Payload Delivery: Once installed, the dropper requests “Install Unknown Apps” permissions and fetches the actual Albiriox payload from a command-and-control (C2) server.

Recent iterations have evolved to include WhatsApp-based lures, requiring users to enter phone numbers to receive download links, further filtering targets to specific regions like Austria.

Albiriox’s architecture focuses on stealth and control. It utilizes “Golden Crypt,” a third-party crypting service, to render the malware Fully Undetectable (FUD) by static antivirus engines. Once active, it employs Accessibility Services to execute overlay attacks and keylogging.

The malware comes hardcoded with a target list of over 400 applications. This extensive list includes major traditional banking apps, cryptocurrency wallets, and payment processors worldwide, Cleafy added.

The following table outlines the technical profile of the Albiriox operations observed during the analysis.

Albiriox’s rapid development cycle suggests it is positioning itself as a dominant tool for financial fraud. Its ability to combine screen streaming with accessibility manipulation enables threat actors to operate invisibly behind black-screen overlays, making it a critical threat to financial institutions and Android users worldwide.

IOCs

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.