Overview of the New Albiriox Threat
New Albiriox MaaS malware introduces a broad threat to mobile users. The tool offers a wide range of on-device fraud features. However, it also delivers strong screen control and real-time device interaction.
The malware includes a hard-coded list of more than 400 financial and trading apps. Therefore, it targets many services used for banking, payments, and investing. Researchers noted that threat actors promoted it through a malware-as-a-service model to attract cybercriminal buyers.
Evasion Tactics and Distribution Methods
Albiriox uses clever dropper applications to bypass detection. It relies on social engineering tricks that lure victims into installing fake apps. However, the malware also uses packing techniques to hide its code from static scanners.
Threat actors first tested the malware in late September 2025. They later expanded it to a commercial MaaS model. Reports suggest that the developers are Russian-speaking, based on forum activity and linguistic patterns.
Prospective buyers can access a custom builder tool. This builder integrates with a crypting service designed to bypass mobile security solutions. Therefore, attackers can craft unique samples tailored to their targets.
Initial Campaigns and User Compromise
One early campaign targeted thousands of Austrian users. For example, German-language SMS messages redirected victims to fake app pages. When users tapped the install button, the site delivered a dropper APK.
After installation, the app requested permission to install additional apps as a fake update. This request ultimately deployed the main Albiriox malware. The malware then established an unencrypted TCP connection for command-and-control operations.
Remote Control and Screen Manipulation
Albiriox enables full remote device control through a VNC-based module. Attackers can extract data, view screens, or serve black screens for stealth. Therefore, they maintain strong control without alerting the user.
The malware abuses accessibility services to bypass protections like FLAG_SECURE. Many financial apps block screenshots, but accessibility-based streaming avoids these restrictions. This method gives attackers full insight into sensitive screens.
Overlay Attacks and Information Theft
Like other Android fraud tools, Albiriox performs overlay attacks. It displays fake login pages over targeted apps to steal credentials. However, it also shows black screens or fake system updates to hide background activity.
Researchers observed an alternative distribution flow using a fake website. Victims entered their phone numbers to receive a download link through a messaging app. The site only accepted Austrian numbers and exfiltrated them to a bot.
Related MaaS Tools and New Campaigns
A second tool, named RadzaRat, also appeared on cybercrime forums. It posed as a file manager but delivered strong surveillance features. Reports stated that its developer marketed it as simple to operate.
RadzaRat allowed remote file browsing, keylogging, and messaging-based command-and-control. It also used system permissions to run at startup and avoid battery restrictions. Therefore, attackers could maintain long-term persistence.
Fake app pages for another tool, GPT Trade, distributed additional malware families. These threats abused accessibility permissions to unlock devices, log keys, and steal credentials. Social engineering lures using adult content also supported a separate malware chain. This chain relied on obfuscation and staged loading screens to evade analysis.
How to Prevent This Type of Attack
Users should avoid installing apps from links, shortened URLs, or unofficial stores. Regular device monitoring and automated threat scanning can help detect suspicious behavior early. Security services that offer mobile threat detection and controlled web-filtering can also reduce the risk of malware-laden downloads without mentioning the provider directly.
Sleep well, we got you covered.
