A dangerous new mobile threat called Albiriox has emerged, giving criminals a tool to completely take over victims’ Android phones and steal money directly from their banking or cryptocurrency apps. Online financial fraud threats detection platform Cleafy’s Threat Intelligence team identified and analysed this emerging threat.
The Rise of a ‘Rental’ Scam
According to Cleafy’s blog post, Albiriox is offered as a Malware-as-a-Service (MaaS) on underground forums, meaning other criminals can rent it to launch their own attacks. Researchers found evidence pointing toward Russian-speaking individuals being behind the operation.
Cleafy first identified the threat in September 2025 during private testing; it became publicly available a month later in October 2025. The project was first discussed in a specific Telegram channel, and the service was reportedly priced at $650 per month, with plans to increase to $720 afterwards.
How the Attack Works
Research reveals that Albiriox is designed for On-Device Fraud (ODF), a technique where attackers perform fraudulent actions directly within a victim’s legitimate apps. This allows criminals to bypass traditional security features by operating inside the device’s own trusted session.
The malware installs through a deceptive two-stage deployment chain to avoid detection. Initially, victims are tricked by social engineering, such as SMS messages, into downloading a fake app, or dropper, impersonating legitimate services like the popular retail app Penny Market. This dropper then quietly installs the main Albiriox malware.
Cleafy quickly saw this method evolve: the landing page began asking users to enter their phone number to receive the download link via WhatsApp. Although the malware is built to attack financial institutions globally, the initial campaigns monitored specifically targeted Austrian users with German-language lures.
Global Risk for Your Finances
The threat is massive as an analysis of the malware’s internal code revealed that it targets over 400 financial and crypto applications worldwide, covering a wide range of banks, payment processors, and digital wallets. This broad list shows that Albiriox is built to support global fraud operations.
Albiriox combines two key features: a Remote Access tool (RAT) for live control and a separate Overlay Attack mechanism to steal passwords. For your information, the RAT uses the phone’s Accessibility features, a function the developers initially advertised as AcVNC, to bypass security screens that block screenshots in banking apps, basically allowing fraudsters to see what you are doing.
The developers clarified that terms used by users, like “hVNC” or “screen reader,” are essentially interchangeable and are described as “purely marketing.” The overall goal is a “full device takeover,” giving attackers the power to control the user interface and steal sensitive information while the victim’s screen might be intentionally blanked out.
“Albiriox represents a rapidly evolving threat that exemplifies the broader shift toward ODF-focused mobile malware,” researchers concluded.
“Albiriox is another sign of how quickly attackers are shifting to a mobile-first attack strategy. Its combination of remote device takeover, real-time fraud capabilities, and a Malware-as-a-Service model makes advanced mobile attacks more accessible than ever,” said Krishna Vishnubhotla, Vice President, Product Strategy at Zimperium, a Dallas, Texas provider of mobile security solutions.
Vishnubhotla warned that “For enterprises, this underscores a critical reality: once a mobile device is compromised, attackers can operate as the user inside trusted apps and in real time. Organisations need on-device mobile security that can detect malicious behaviour before fraud or account takeover occurs.”