Albiriox, a new Android malware, has been touted under a malware-as-a-service (MaaS) model as providing a “full spectrum” of functionality to support on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
The malware includes a hard-coded list of approximately 400 programs including banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.
“The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload,”
Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.
Albiriox is claimed to have been marketed initially as part of a limited recruitment phase in late September 2025, before transitioning to a MaaS offering a month later. Based on their activity on cybercrime forums, linguistic trends, and the infrastructure employed, the threat actors appear to be Russian-speaking.
Prospective customers have access to a custom constructor that, according to the developers, works with Golden Crypt, a third-party crypting service that allows them to avoid antivirus and mobile security measures.
The attackers’ ultimate purpose is to acquire control of mobile devices and carry out fraudulent activities while remaining undetected. At least one first attempt specifically targeted Austrian victims, using German-language lures and SMS messages with shortened links to bogus Google Play Store app listings for apps such as PENNY Angebote & Coupons.
Unaware users who clicked the “Install” button on the copycat page were infected with a dropper APK. Once installed and activated, the app prompts them to grant it access to install programs under the premise of a software update, resulting in the installation of the core virus.
Albiriox employs an unencrypted TCP socket connection for command-and-control (C2), allowing threat actors to issue various commands to remotely control the device via Virtual Network Computing (VNC), extract sensitive information, serve black or blank screens, and adjust the volume for operational stealth.
It also installs a VNC-based remote access module, allowing threat actors to remotely interact with compromised phones. One version of the VNC-based interaction method uses Android’s accessibility services to show all user interface and accessibility features on the device screen.
“This accessibility-based streaming mechanism is intentionally designed to bypass the limitations imposed by Android’s FLAG_SECURE protection,”
the researchers explained.