Albiriox: A New Android Malware Capable of Taking Full Control of User Devices
As digital technologies evolve, cybercriminals continue to advance their tools just as rapidly. One of the most alarming recent threats targeting Android users is Albiriox, a newly discovered malware family that combines banking fraud capabilities with full remote access functionality.
Identified by researchers at Cleafy, Albiriox enables attackers to gain complete control over infected devices, bypass security protections, and drain financial accounts through real-time interaction.
A New Player in the MaaS Market
Albiriox first surfaced on underground cybercrime forums in September 2025 in a closed beta phase. By October, it became publicly available as a Malware-as-a-Service (MaaS) offering.
Investigators believe the project is managed by a Russian-speaking threat group that aggressively marketed the malware. Access to the full toolkit—including command panel, remote control features, and automation modules—was sold for approximately $650 per month.
More Than a Trojan: A Full Remote-Control System
Albiriox’s most dangerous capability lies in its use of VNC (Virtual Network Computing) to stream the victim’s screen directly to the attacker. This allows cybercriminals to:
- manually perform banking operations,
- bypass security checks,
- confirm transactions without the user’s knowledge.
This method represents a form of On-Device Fraud (ODF), where fraudulent activity is carried out directly on the victim’s device.
As a result, Albiriox can easily circumvent device fingerprinting, biometric checks, and two-factor authentication (2FA).
Two-Stage Infection Chain
The distribution strategy behind Albiriox combines social engineering with a multi-step dropper.
1. Social Engineering
Victims receive SMS or WhatsApp messages containing shortened links promoting discounts or prizes. These links redirect to fake Google Play pages.
2. Dropper Installation
Early campaigns in Austria distributed a fraudulent “Penny Market” app. Once installed, it serves as the dropper for Albiriox.
3. Payload Delivery
The dropper requests permission to install unknown apps and retrieves the final malicious payload from a C2 server.
Recent variants add a new layer of filtering: users are asked to enter their phone numbers through WhatsApp bots, allowing attackers to target specific regions more precisely.
Stealth and Deep Control
To remain undetected and maximize control, Albiriox uses:
- Golden Crypt obfuscation to stay fully invisible to static antivirus detection,
- JSONPacker to hide internal structures,
- Android Accessibility Services to execute overlay attacks, keylogging, and input manipulation,
- a hardcoded target list of more than 400 banking, payment, and cryptocurrency apps.
These features collectively position Albiriox as one of the most advanced Android-based financial fraud tools currently in circulation.
Technical Profile
| Feature | Details |
|---|---|
| Malware Type | Android Banking Trojan / Remote Access Trojan (RAT) |
| Distribution Model | Malware-as-a-Service |
| Primary Techniques | ODF, overlay attacks, VNC screen streaming |
| Target Scope | 400+ banking & crypto applications |
| Evasion Methods | Golden Crypt, JSONPacker, two-stage dropper |
| Command & Control | Unencrypted TCP socket using JSON commands |
Impact and Global Risk
Albiriox’s rapid development, VNC streaming, deep accessibility manipulation, and ability to operate behind black-screen overlays elevate it into a high-risk category for banks and Android users worldwide.
Its continuous updates and professional structuring suggest the involvement of an experienced cybercriminal group aiming to dominate the mobile fraud ecosystem.
Once the malware is installed, the attacker effectively becomes the new owner of the device, operating freely while the user remains unaware.
