A new Android malware family, promoted as a Malware-as-a-Service (MaaS), has surfaced on Russian-speaking cybercrime forums, offering full device takeover and real-time fraud capabilities.
Known as Albiriox, the malware is designed to support On-Device Fraud (ODF) and already targets more than 400 banking and cryptocurrency applications worldwide, according to an analysis published by the Cleafy Threat Intelligence team.
A fast-growing Android threat with remote control and credential-harvesting features, Albiriox moved from a private beta in September 2025 to a public MaaS model introduced in October.
Forum posts show operators marketing the malware’s accessibility-based VNC module, which allows attackers to interact with an infected device remotely. Subscription access launched at $650 per month before rising to $720 after October 21.
Early Campaigns Point to Targeted Rollout
The first observed deployment wave appeared limited in scope. One campaign targeted Austrian mobile users via SMS links that led to German-language phishing pages. Victims were initially directed to a fake Google Play site that distributed a malicious “Penny Market” app, which served as a dropper for the final Albiriox payload.
Later, attackers shifted to a phone-number collection scheme that delivered download links via WhatsApp, filtering inputs to accept only Austrian numbers.
Researchers found that the dropper used JSONPacker to obfuscate the underlying code, prompting victims to enable the “Install Unknown Apps” permission before installing Albiriox. Once active, the malware connects to its command server over an unencrypted TCP channel and registers the device using hardware and OS identifiers.
Read more on Android banking malware: Android Devices Targeted By KONNI APT in Find Hub Exploitation
The investigation shows Albiriox supports a wide set of fraud-enabling functions, including:
-
Real-time screen streaming via VNC and accessibility-based views
-
Black-screen and system-update overlays
-
UI automation such as clicks, swipes, text input and app launches
Operators Prioritize Evasion
Cleafy also identified forum discussions in which buyers asked whether Albiriox was fully undetectable. The developers responded by highlighting a custom builder that integrates the Golden Crypt crypting service to evade static scanning.
The firm concluded that Albiriox reflects an accelerating shift toward ODF-focused mobile malware. With its MaaS model, two-stage delivery chain and broad targeting list, analysts expect the malware to mature quickly and pose a growing risk to financial institutions worldwide.
“This multi-dimensional visibility enables financial institutions to detect compromise at the earliest stages of the attack chain and enforce precise, context-aware response policies before fraud is executed,” Cleafy wrote.
“As mobile banking threats continue to mature, the ability to orchestrate these indicators into actionable defenses will prove essential for staying ahead of this emerging class of Android malware.”
