Security researchers have identified a new Android malware targeting banking information and crypto wallets. Dubbed Albiriox, the malware is distributed via infected APKs that trick victims into believing they are downloading legitimate applications.
Cleafy detected the Android malware in September 2025, being traded on Telegram hacking channels.
Albiriox Android RAT implements Malware-as-a-Service infrastructure.
According to the Cleafy Threat Intelligence team, the apps are part of a Malware-as-a-Service (MaaS) infrastructure offered by cybercriminals on underground hacking forums.
However, the MaaS offering for the beta version was only available to “high-reputation” hackers. The developer has also yet to decide on the monthly rental price for the MaaS offering, proposing $2000 per month or even $600-$800.
They later offered a discounted rental price of $650 per month until October 21st, 2025, after which it would increase to $720 per month.
According to the researchers, the infected apps are distributed via social engineering lures involving text messages containing shortened links that redirect victims to a fake Google Play Store website.
However, later distribution campaigns leveraged WhatsApp links after prompting users to provide their phone numbers, with Australian users specifically targeted.
“Analysis of the underlying JavaScript reveals that only Austrian phone numbers are accepted (isValidAustrianNumber function), and submitted data is forwarded directly to a Telegram bot controlled by the TAs.”
The threat actors also avoided direct installation by using the fake Penny application to drop the main Albiriox Android malware.
Once installed and executed, the dropper displays the fake System Update interface to trick the user into granting the required permissions, specifically the “Install Unknown Apps” permission.
So far, the Albiriox Android malware targets over 400 banking, fintech, payment processing, cryptocurrency, and trading applications, which are hardcoded into a Java arraylist. Crypto and banking accounted for more than two-thirds of the targeted apps.
“This broad spectrum of targets provides strong evidence that Albiriox is designed to operate as a fully‑fledged banking Trojan, capable of supporting global ODF campaigns,” the researchers warned.
Android malware can transact without user interaction.
The apps can commit On-Device Fraud (ODF) activities, such as transacting on legitimate mobile banking apps or transferring cryptocurrency without user interaction. Cleafy researchers assessed that the Android RAT could achieve full Remote Controller capabilities, providing threat actors with real-time and unrestricted access.
“The malware’s design clearly reflects this objective, prioritizing Full Device Takeover, Real-Time Interaction, and the ability to perform unauthorized operations while remaining undetected by the user,” the researchers explained.
It implements VNC-based Remote Access for device control and Overlay Attack for credential harvesting. It implements blank and black-screen overlays to prevent users from detecting fraudulent activity.
Other malicious activities include device automation capabilities, such as click, swipe, text, back, home, recent, and power, to enable user interaction. It can also perform fraudulent activities such as get_phone_password, clear_phone_password, live_key, live_key_stop, and set_vnc_mode.
Albiriox Android malware can also uninstall, launch, and manage installed apps, enabling it to execute malicious apps and remove others that threaten to expose its malicious activities.
Nevertheless, it failed to encrypt its data by communicating with the C2 servers via an unencrypted TCP socket, making its traffic easy to intercept and analyze.
According to the researchers, it transmits device identifiers such as Hardware ID (HWID), device model, and Android OS version to register the device on its botnet network.
Leave a Reply