Albiriox is a new family of Android banking malware that gives attackers live remote control over infected phones, letting them quietly drain bank and crypto accounts during real sessions.
Researchers have analyzed a new Android malware family called Albiriox which is showing signs of developing rapidly and already has strong capabilities. Albiriox is sold as Malware-as-a-Service (MaaS), meaning entry-level cybercriminals can simply rent access and launch their own fraud campaigns. It was first observed in September 2025 when attackers started a limited recruitment phase.
Albiriox is an Android Remote Access Trojan (RAT) and banking Trojan built for on-device fraud, where criminals perform transactions directly on the victim’s phone instead of just stealing passwords. It has a structured architecture with loaders, command modules, and control panels tailored to financial apps and cryptocurrency services worldwide.
In one early campaign, Albiriox targeted Austria. But unlike older mobile malware that focused on a single bank or country, Albiriox already targets hundreds of banking, fintech, payment, and crypto apps across multiple regions. Its internal application-monitoring database included more than 400 applications.
Since it’s a MaaS service, attackers can distribute Albiriox in any way they like. The usual methods are through fake apps and social engineering, often via smishing or links that impersonate legitimate brands or app stores. In at least one campaign, victims were lured with a bogus retailer app that mimicked a Google Play download page to trick them into installing a malicious dropper.
The first app victims see is usually just a loader that downloads and installs the main Albiriox payload after gaining extra permissions. To stay under the radar, the malware uses obfuscation and crypting services to make detection harder for security products.
What makes Albiriox stand out?
Albiriox combines several advanced capabilities that work together to give attackers almost the same control over your phone as if they were holding it in their hands:
- Live remote control: The malware streams the device screen to the attacker, who can tap, swipe, type, and navigate in real time.
- On‑device fraud tools: Criminals can open your banking or crypto apps, start transfers, and approve them using your own device and session.
- Accessibility abuse: It misuses Android Accessibility Services to automate clicks, read on‑screen content, and bypass some security prompts.
- Overlay attacks (under active development): It can show fake login or verification screens on top of real apps to harvest credentials and codes, with templates that are being refined.
- Black‑screen masking: The malware can show a black or fake screen while the attacker operates in the background, hiding fraud from the user.
The live remote control is hidden by this masking, so victims don’t notice anything going on.
Because the fraud happens on the victim’s own device and session, criminals can often bypass multi-factor authentication and device-fingerprinting checks.
How to stay safe
If you notice strange behavior on your device or spot apps with generic names that include “utility,” “security,” “retailer,” or “investment” that you don’t remember installing from the official Play Store, run a full system with a trusted Android anti-malware solution.
But prevention is better:
- Only install apps from official app stores whenever possible and avoid installing apps promoted in links in SMS, email, or messaging apps.
- Before installing finance‑related or retailer apps, verify the developer name, number of downloads, and user reviews rather than trusting a single promotional link.
- Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
- Scrutinize permissions. Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
- Keep Android, Google Play services, and all banking or crypto apps up to date so you get the latest security fixes.
- Enable multi-factor authentication on banking and crypto services, and prefer app‑based or hardware‑based codes over SMS where possible. And if possible, set up account alerts for new payees, large transfers, or logins from new devices.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.