New Albiriox Maas Malware Targets 400+ Apps For On-device Fraud And...

A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.

The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.

"The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload," Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.

Albiriox is said to have been first advertised as part of a limited recruitment phase in late September 2025, before shifting to a MaaS offering a month later. There is evidence to suggest that the threat actors are Russian-speaking based on their activity on cybercrime forums, linguistic patterns, and the infrastructure used.

Prospective customers are provided access to a custom builder that, per the developers' claims, integrates with a third-party crypting service known as Golden Crypt to bypass antivirus and mobile security solutions.

The end goal of the attacks is to seize control of mobile devices and conduct fraudulent actions, all while flying under the radar. At least one initial campaign has explicitly targeted Austrian victims by leveraging German-language lures and SMS messages containing shortened links that lead recipients to fake Google Play Store app listings for apps like PENNY Angebote & Coupons.

Unsuspecting users who clicked on the "Install" button on the lookalike page are compromised with a dropper APK. Once installed and launched, the app prompts them to grant it permissions to install apps under the guise of a software update, which leads to the deployment of the main malware.

Albiriox uses an unencrypted TCP socket connection for command-and-control (C2), allowing the threat actors to issue various commands to remotely control the device using Virtual Network Computing (VNC), extract sensitive information, serve black or blank screens, and turn the volume up/down for operational stealth.

It also installs a VNC‑based remote access module to allow threat actors to remotely interact with the compromised phones. One version of the VNC-based interaction mechanism makes use of Android's accessibility services to display all use

Source: The Hacker News