A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a “full spectrum” of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.
“The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload,” Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.
Albiriox is said to have been first advertised as part of a limited recruitment phase in late September 2025, before shifting to a MaaS offering a month later. There is evidence to suggest that the threat actors are Russian-speaking based on their activity on cybercrime forums, linguistic patterns, and the infrastructure used.
Prospective customers are provided access to a custom builder that, per the developers’ claims, integrates with a third-party crypting service known as Golden Crypt to bypass antivirus and mobile security solutions.
The end goal of the attacks is to seize control of mobile devices and conduct fraudulent actions, all while flying under the radar. At least one initial campaign has explicitly targeted Austrian victims by leveraging German-language lures and SMS messages containing shortened links that lead recipients to fake Google Play Store app listings for apps like PENNY Angebote & Coupons.
Unsuspecting users who clicked on the “Install” button on the lookalike page are compromised with a dropper APK. Once installed and launched, the app prompts them to grant it permissions to install apps under the guise of a software update, which leads to the deployment of the main malware.
Albiriox uses an unencrypted TCP socket connection for command-and-control (C2), allowing the threat actors to issue various commands to remotely control the device using Virtual Network Computing (VNC), extract sensitive information, serve black or blank screens, and turn the volume up/down for operational stealth.
It also installs a VNC‑based remote access module to allow threat actors to remotely interact with the compromised phones. One version of the VNC-based interaction mechanism makes use of Android’s accessibility services to display all user interface and accessibility elements present on the device screen.
“This accessibility-based streaming mechanism is intentionally designed to bypass the limitations imposed by Android’s FLAG_SECURE protection,” the researchers explained.
“Since many banking and cryptocurrency applications now block screen recording, screenshots, and display capture when this flag is enabled, leveraging accessibility services allows the malware to obtain a complete, node-level view of the interface without triggering any of the protections commonly associated with direct screen-capture techniques.”
Like other Android-based banking trojans, Albiriox supports overlay attacks against a hard-coded list of target applications for credential theft. What’s more, it can serve as overlays mimicking a system update or a black screen to enable malicious activities to be carried out in the background without attracting any attention.
Cleafy said it also observed a slightly altered distribution approach that redirects users to a fake website masquerading as PENNY, where the victims are instructed to enter their phone number so as to receive a direct download link via WhatsApp. The page currently only accepts Austrian phone numbers. The entered numbers are exfiltrated to a Telegram bot.
“Albiriox exhibits all core characteristics of modern on-device fraud (ODF) malware, including VNC-based remote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting,” Cleafy said. “These capabilities enable attackers to bypass traditional authentication and fraud-detection mechanisms by operating directly within the victim’s legitimate session.”
The disclosure coincides with the emergence of another Android MaaS tool codenamed RadzaRat that impersonates a legitimate file management utility, only to unleash extensive surveillance and remote control capabilities post-installation. The RAT was first advertised in an underground cybercrime forum on November 8, 2025.
“The malware’s developer, operating under the alias ‘Heron44,’ has positioned the tool as an accessible remote access solution that requires minimal technical knowledge to deploy and operate,” Certo researcher Sophia Taylor said. “The distribution strategy reflects a troubling democratization of cybercrime tools.”
Central to RadzaRat is its ability to remotely orchestrate file system access and management, allowing the cybercriminals to browse directories, search for specific files, and download data from the compromised device. It also abuses accessibility services to log users’ keystrokes and use Telegram for C2.
To achieve persistence, the malware uses RECEIVE_BOOT_COMPLETED and RECEIVE_LOCKED_BOOT_COMPLETED permissions, along with a dedicated BootReceiver component, to ensure that it’s automatically launched upon a device restart. Additionally, it seeks the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission to exempt itself from Android’s battery optimization features that may restrict its background activity.
“Its disguise as a functional file manager, combined with extensive surveillance and data exfiltration capabilities, makes it a significant threat to individual users and organizations alike,” Certo said.
The findings come as fake Google Play Store landing pages for an app named “GPT Trade” (“com.jxtfkrsl.bjtgsb”) have distributed the BTMOB Android malware and a persistence module referred to as UASecurity Miner. BTMOB, first documented by Cyble back in February 2025, that’s known to abuse accessibility services to unlock devices, log keystrokes, automate credential theft through injections, and enable remote control.
Social engineering lures using adult content as lures have also underpinned a sophisticated Android malware distribution network to deliver a heavily obfuscated malicious APK file that requests sensitive permissions for phishing overlays, screen capture, installing other malware, and manipulating the file system.
“It employs a resilient, multi-stage architecture with front-end lure sites that use commercial-grade obfuscation and encryption to hide and dynamically connect to a separate backend infrastructure,” Palo Alto Networks Unit 42 said. “The front-end lure sites use deceptive loading messages and a series of checks, including the time it takes to load a test image, to evade detection and analysis.”
