A new Android banking trojan called Albiriox has surfaced on Russian‑language cybercrime forums, where it is being sold under a Malware‑as‑a‑Service (MaaS) model. According to researchers at Cleafy, this approach dramatically lowers the entry barrier for financially motivated attackers and supports rapid scaling of mobile fraud campaigns worldwide.
Malware-as-a-Service: how the Albiriox trojan is commercialised
Albiriox was first advertised in late September 2025, and by October its operators had switched to a fully commercial model. A monthly “subscription” to the trojan reportedly costs around USD 720, typically including access to a web‑based control panel, regular updates and technical support from the malware operators.
This Malware‑as‑a‑Service model mirrors trends seen with other Android banking trojans: core developers focus on maintaining and improving the malware, while “tenants” — individual criminals and organised groups — pay for access and run their own campaigns. Industry experience shows that MaaS ecosystems tend to increase both the frequency and geographic spread of attacks, as even relatively inexperienced actors can launch complex operations using pre‑built tooling and ready‑made infrastructure.
Target scope: more than 400 banking, crypto and gaming applications
Cleafy’s analysis indicates that Albiriox targets over 400 applications globally. The list includes traditional banking apps, fintech and payment services, cryptocurrency wallets and exchanges, trading and investment platforms, as well as popular mobile games.
This broad targeting profile is typical for a next‑generation Android banker oriented toward on‑device fraud: the malware executes unauthorised transactions directly from the victim’s own device, within legitimate apps and active sessions. Because activity originates from a trusted device and familiar IP addresses, conventional anti‑fraud systems that focus on device fingerprinting and network anomalies are far less effective at detecting these attacks.
Infection chain: phishing SMS, fake Google Play pages and WhatsApp delivery
Initial campaigns: spoofed app store and supermarket brand
One of the first large‑scale Albiriox campaigns observed by researchers targeted users in Austria. Victims received phishing SMS messages in German containing a link to a fraudulent Google Play Store page, impersonating the mobile app of the Penny supermarket chain.
The fake page urged users to download an APK file directly. Instead of coming from the official Google Play marketplace, the file was hosted on attacker‑controlled infrastructure. Users who sideloaded this APK unknowingly installed a dropper application, which in turn paved the way for the full Albiriox payload.
Updated scheme: collecting phone numbers and sending links via WhatsApp
Following the initial wave, the phishing infrastructure was refined. The new landing page no longer serves the APK immediately. Instead, it asks visitors to enter their mobile phone number, claiming that a download link will be sent via WhatsApp.
The site only accepts Austrian numbers, and submitted data is automatically forwarded to an attacker‑controlled Telegram bot. This enables criminals to selectively follow up with specific targets, resend links if needed and adapt social‑engineering scripts to maximise installation rates and eventual fraud.
Technical capabilities: full remote control of infected Android devices
VNC-based remote access and stealth mechanisms
Once the dropper — often masquerading as a system update — is installed, it requests extensive permissions, including the ability to install apps from unknown sources. At this stage, the core Albiriox module is downloaded and activated.
Researchers report that Albiriox implements remote access based on VNC (Virtual Network Computing), allowing operators to control the victim’s smartphone in real time. Attackers can initiate and approve payments, change security settings and exfiltrate sensitive data and one‑time codes. To hide this activity, the trojan can display a blank or black screen and mute device sounds, reducing the likelihood that the user will notice suspicious behaviour or notifications during an ongoing fraud session.
Abuse of Accessibility services and bypassing FLAG_SECURE
One variant of the remote‑access mechanism relies on Android Accessibility services, which are designed to assist users with disabilities but are frequently abused by mobile malware. With Accessibility privileges, Albiriox gains full visibility into the user interface, can simulate taps and keystrokes, and interact with other apps without user awareness.
This capability also enables the trojan to circumvent the FLAG_SECURE setting used by many banking and cryptocurrency apps to block screen capture and recording. By operating at the Accessibility layer, attackers can see and manipulate content that is normally protected even from legitimate remote‑support tools.
Overlay attacks and real-time credential interception
In addition to remote control, Albiriox uses classic overlay attacks. It places fraudulent login or transaction‑approval screens on top of genuine apps, tricking users into entering credentials, PINs or one‑time passwords. These data are captured and relayed to the command‑and‑control infrastructure in real time.
The malware can mimic system update prompts, display fake bank login forms or show a persistent black screen while fraudulent operations are conducted in the background. Such techniques significantly reduce the chances that a victim will manually spot the compromise.
Evasion techniques: cryptors and customised builds
For its customers, Albiriox offers a customisable builder for malicious APKs integrated with a third‑party crypting service known as Golden Crypt. Cryptors alter the structure and signature of executable files, making it harder for antivirus engines and mobile security solutions to detect the malware through static signature‑based scanning.
Combined with dynamic behaviours, application‑specific overlays and the use of legitimate Android system features, this makes Albiriox a representative example of modern on‑device fraud tooling. It combines VNC‑style remote control, Accessibility‑driven automation, targeted overlays and live credential harvesting to bypass traditional authentication and anti‑fraud controls while staying within the boundaries of a legitimate user session.
The emergence of Albiriox underscores the need for stronger mobile security hygiene and more advanced fraud‑detection approaches. End users should avoid installing apps from links in SMS or messengers, verify websites and download sources, disable installation from unknown sources where possible, keep devices updated and use reputable mobile security tools. Financial institutions and other high‑risk organisations should explicitly model on‑device fraud in their threat assessments and augment classical controls with behavioural analytics, device‑integrity checks and real‑time risk scoring to detect attacks that originate from an otherwise trusted device.
