A sophisticated new Android malware family dubbed \u201cAlbiriox\u201d has emerged on the cybercrime landscape, offering advanced remote access capabilities as a Malware-as-a-Service (MaaS)<\/a>.<\/p>\n Identified by researchers at Cleafy, the malware is designed to execute On-Device Fraud (ODF) by granting attackers full control over infected devices, allowing them to bypass security measures and drain financial accounts.<\/p>\n Albiriox first appeared in September 2025 within exclusive underground forums, transitioning from a private beta phase to a public commercial offering by October.<\/p>\n The operation is believed to be managed by Russian-speaking threat actors who have aggressively marketed the tool. The service was launched with a subscription model, charging affiliates approximately $650 per month to access the malware\u2019s comprehensive toolkit.<\/p>\n Unlike simple credential stealers, Albiriox is engineered for real-time interaction. It leverages a VNC (Virtual Network Computing)<\/a> module that streams the victim\u2019s screen directly to the attacker.<\/p>\n This allows criminals to perform banking fraud manually on the victim\u2019s device, often while the user is unaware, effectively circumventing device fingerprinting and two-factor authentication (2FA) protocols.<\/p>\n The distribution of Albiriox relies on a deceptive two-stage process designed to evade detection. Early campaigns targeted users in Austria using a fraudulent version of the popular \u201cPenny Market\u201d application. The infection chain typically follows these steps:<\/p>\n Recent iterations have evolved to include WhatsApp-based lures, requiring users to enter phone numbers to receive download links, further filtering targets to specific regions like Austria.<\/p>\n Albiriox\u2019s architecture focuses on stealth and control. It utilizes \u201cGolden Crypt,\u201d a third-party crypting service, to render the malware Fully Undetectable (FUD) by static antivirus engines<\/a>. Once active, it employs Accessibility Services to execute overlay attacks and keylogging.<\/p>\n The malware comes hardcoded with a target list of over 400 applications. This extensive list includes major traditional banking apps, cryptocurrency wallets, and payment processors worldwide, Cleafy added<\/a>.<\/p>\n The following table outlines the technical profile of the Albiriox operations observed during the analysis.<\/p>\n Albiriox\u2019s rapid development cycle suggests it is positioning itself as a dominant tool for financial fraud. Its ability to combine screen streaming with accessibility manipulation enables threat actors to operate invisibly behind black-screen overlays, making it a critical threat to financial institutions and Android users worldwide.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Albiriox Malware Attacking Android Users to Take Complete Control of their Device<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhx4WddzXpks41t6vlBUOMCEEZK4EdZLATl3oH_0iHGhzON6614lkQAh-3XrnJrM7FIRF3t5D5sQxgTOSrua4WX-DyD4fmN-5lpLOf6s4LUYd80sxP4WTnwOc8FaYCB-LbhmP9iivgqtNtscO5m1ueKnWGW9zqN6XNTsreeGFSl077zxr2q21atIHp6cfGO\/w630-h640\/vnc%2520onnection.webp?ssl=1\")
<\/figure>\n<\/div>\nTwo-Stage Infection Chain<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGDgaqQ9sYoz6y_tDs804Wl2tplMBBZYNphbe9lP9QYIgcxI8qEQCBX9ruBxFjCriegt-GoDEnX_Vm7IPX6Q3MzBrv4SoC0ctObmhAwHEFWlFqmyawkF9PJioMfxyIIDbUdf38sSQlfumGDaPLCdEx1nEPZUZalfvkUD1O_5796E1oqMgnzpL02-Hnexf0\/s16000\/Malware%2520installation.webp?ssl=1\")
<\/figure>\n<\/div>\n\n
\n\n
\n \nFeature<\/th>\n Details<\/th>\n<\/tr>\n<\/thead>\n \n Malware Type<\/strong><\/td>\n Android Banking Trojan \/ Remote Access Trojan (RAT)<\/td>\n<\/tr>\n \n Distribution Model<\/strong><\/td>\n Malware-as-a-Service (MaaS)<\/td>\n<\/tr>\n \n Primary Tactics<\/strong><\/td>\n On-Device Fraud (ODF), Overlay Attacks, VNC Streaming<\/td>\n<\/tr>\n \n Target Scope<\/strong><\/td>\n 400+ Financial & Crypto Applications<\/td>\n<\/tr>\n \n Evasion Technique<\/strong><\/td>\n \u201cGolden Crypt\u201d obfuscation, JSONPacker, Two-stage dropper<\/td>\n<\/tr>\n \n Command & Control<\/strong><\/td>\n Unencrypted TCP Socket with JSON-based commands<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n IOCs<\/strong><\/h2>\n
\n\n
\n \nIndicator Type<\/th>\n Value<\/th>\n Port \/ Notes<\/th>\n<\/tr>\n<\/thead>\n \n C2 Server IP<\/td>\n 194.32.79.94<\/td>\n 5555 (Linked to samplef5b501e3\u2026)<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-app-download[.]download<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-get[.]download<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-aplication[.]download<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n play.google-get[.]store<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-app-get[.]com<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-get-app[.]com<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n \n Delivery Domain<\/td>\n google-app-install[.]com<\/td>\n Phishing \/ Dropper Delivery<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n