Emerging Android threat ‘Albiriox’ enables full On‑Device Fraud
December 01, 2025
Albiriox is new Android MaaS malware enabling on-device fraud and real-time control. It targets 400+ banking, fintech, crypto, and payment apps.
Albiriox is a new Android malware sold under a malware-as-a-service model on Russian‑speaking cybercrime forums. It provides advanced capabilities for on-device fraud, screen manipulation, and real-time interaction with infected devices. It also includes a hard-coded list of over 400 targeted apps, including banking, fintech, crypto wallets, payment processors, and trading platforms.
Albiriox was first observed in September 2025 during a closed beta for high‑reputation members, it became a public MaaS offering in October 2025. The malicious code incorporates a VNC-based remote access module for direct device manipulation and a developing overlay system designed for credential theft. Despite being in early development, it already shows advanced evasion, dynamic control capabilities, and wide targeting across financial applications. Promotional posts, Telegram discussions, and initial APK samples reveal a structured and rapidly evolving project. The malware has a subscription model starting at $650 per month until October 21st, 2025, increasing to $720 afterwards. Albiriox is positioned to grow quickly among threat actors seeking scalable mobile fraud tools.
Early Albiriox campaigns were identified during the malware’s beta phase and were likely operated by a single high‑reputation affiliate. The campaign specifically targeted Austrian users, using German‑language SMS messages with shortened links leading to fraudulent sites. The first version impersonated the Google Play Store and lured victims into downloading a fake “Penny Market” app, delivering a dropper APK from attacker‑controlled servers.
Shortly afterward, the distribution method evolved. Instead of offering the APK directly, the landing page required users to enter their phone number, claiming the download link would be sent via WhatsApp. The updated flow included selecting a fuel provider, spinning a fake “wheel of fortune,” and submitting a number. JavaScript checks ensured only Austrian numbers were accepted, and all collected data was sent to the attackers’ Telegram bot.
Albiriox uses techniques typical of modern Android banking malware, including VNC-based remote control and overlay attacks. In early campaigns, victims received a fake “Penny Market” app acting as a dropper. The dropper uses JSONPacker for obfuscation and immediately launches a fake System Update screen to obtain critical permissions, especially “Install Unknown Apps.” Once granted, it installs the final Albiriox payload, allowing the malware to bypass static detection.
The malware contains a hardcoded list of over 400 targeted apps (banking, fintech, payment, crypto, wallets, and trading) stored in an internal AppInfos class used to trigger overlays and harvest credentials.
Albiriox communicates with its C2 using unencrypted TCP sockets. On startup, it sends a handshake containing device identifiers (HWID, model, OS version). Communication relies on structured JSON messages and a ping/pong heartbeat to maintain persistent control.
The command set reveals extensive device‑level capabilities designed for On‑Device Fraud (ODF). Core features include a VNC module for real‑time control, UI automation (click, swipe, text), fraud‑oriented functions (password extraction, accessibility manipulation), stealth tools (black‑screen overlays, volume control), app management, and continuous C2 synchronization. Collectively, these capabilities enable attackers to take full remote control of the device and execute fraudulent transactions directly inside legitimate apps while remaining invisible to the victim.
“The most prominent feature confirmed is Albiriox’s ability to operate as a full Remote Controller. This capability enables TAs to have real-time, unauthorized access and visual monitoring of the victim’s device. It mirrors legitimate remote access technologies (such as VNC or similar services), enabling a live stream of the device display and allowing the operator to interact with the device remotely.” reads the report published by Cleafy. “Such behavior is strongly indicative of a mobile Remote Access Trojan (RAT) or a highly sophisticated banking Trojan that relies on session hijacking and on-device fraud.”
Researchers captured an active Albiriox infection showing its dual VNC modes: a standard visual stream and an Accessibility‑based AC VNC mode. AC VNC provides a full UI‑node view that bypasses Android’s FLAG_SECURE restrictions, allowing the malware to observe protected banking and crypto apps that normally block screenshots or screen recording.
Albiriox also implements multiple overlay types: a fake System Update screen, a full black screen to hide fraudulent activity during VNC control, and generic overlays triggered when targeted financial apps are opened. These overlays support credential theft, conceal attacker actions, and maintain user deception.
To evade detection, the malware’s operators advertise a custom Builder that integrates the well‑known Golden Crypt crypting service, enabling Albiriox to be packaged in a “Fully Undetectable” form.
“Beyond the recruitment messages and the initial beta-stage announcements presented in the “From private beta to public MaaS” chapter, Cleafy’s monitoring activities uncovered an additional discussion thread tied to the Albiriox developers. In this conversation, a forum user explicitly asked whether the malware was FUD (Fully Undetectable), a common indicator of interest among TAs seeking tools capable of bypassing antivirus and mobile security solutions.” continues the report. “In response, the Albiriox developers clarified that they provide a custom Builder as part of their MaaS offering. “
This reinforces its positioning as a stealth‑focused MaaS offering with layered evasion, two‑stage delivery, and accessibility‑driven device takeover.
“Albiriox exhibits all core characteristics of modern On-Device Fraud (ODF) malware, including VNC-based remote control, accessibility-driven automation, targeted overlays, and dynamic credential harvesting. These capabilities enable attackers to bypass traditional authentication and fraud-detection mechanisms by operating directly within the victim’s legitimate session.” concludes the report. “In conclusion, Albiriox represents a rapidly evolving threat that exemplifies the broader shift toward ODF-focused mobile malware.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, malware)