Albiriox: The New Android Banking Malware Threatening Your Financial Security
A sophisticated new Android malware family has emerged from the cybercrime underground, and it’s already making waves across the global financial sector. Albiriox represents a dangerous evolution in mobile banking threats, combining advanced remote control capabilities with a business model that makes it accessible to even low-skill cybercriminals.
What Is Albiriox?
Albiriox is a new family of Android banking malware that gives attackers live remote control over infected phones, letting them quietly drain bank and crypto accounts during real sessions. Unlike traditional banking trojans that simply steal credentials, Albiriox enables what security researchers call “on-device fraud” (ODF), where attackers perform transactions directly on the victim’s phone while maintaining the legitimate user session.
First observed in September 2025 during a limited recruitment phase targeting high-reputation forum members, the project transitioned to a publicly available MaaS offering in October 2025. The malware is now sold as a Malware-as-a-Service (MaaS), with monthly subscriptions ranging from $650 to $720, making it available to a wider range of threat actors.
How It Works
The infection chain typically begins with social engineering. In early campaigns, victims were lured with fake apps mimicking legitimate brands. One observed campaign used a fraudulent “Penny Market” app that served as a dropper, tricking victims into granting critical permissions by displaying a fake system update screen.
Once installed, Albiriox deploys an arsenal of capabilities:
Remote Device Control: The malware streams the victim’s screen in real-time using VNC-based technology, allowing attackers to tap, swipe, type, and navigate through any app as if they were physically holding the device.
Accessibility Service Abuse: Perhaps most concerning is how Albiriox exploits Android’s accessibility features. Researchers found that the malware uses a custom accessibility-based streaming mechanism designed to bypass Android’s FLAG_SECURE protection, which normally prevents screenshots and screen recording in banking and cryptocurrency apps.
Overlay Attacks: While still in development, the malware includes overlay capabilities to display fake login screens over legitimate apps, harvesting credentials and authentication codes.
Stealth Operations: Albiriox can display black or blank screens while conducting fraudulent transactions in the background, completely hiding the malicious activity from the victim.
Massive Target List
What makes Albiriox particularly dangerous is its scope. The malware contains a hardcoded list of more than 400 targeted applications spanning banking, fintech, cryptocurrency exchanges, digital wallets, payment processors, and trading platforms across multiple countries. This isn’t a regional threat—it’s designed for global fraud campaigns.
The breadth of targets reflects a strategic approach prioritizing high-value, globally recognized financial brands. Banks, crypto wallets, payment apps, and investment platforms are all in the crosshairs.
Technical Infrastructure
Albiriox communicates with its command-and-control servers using unencrypted TCP socket connections. Upon infection, it sends a handshake containing device identifiers including hardware ID, device model, and Android OS version, effectively registering the victim device within a botnet.
The malware supports an extensive set of remote commands enabling UI navigation, data exfiltration, concealment tactics, and application control. Attackers can launch apps, uninstall apps, retrieve passwords, and manipulate virtually every aspect of the infected device.
To evade detection, Albiriox’s developers provide a custom builder integrated with Golden Crypt, a third-party crypting service widely used to generate “fully undetectable” malware payloads. This allows the malware to bypass mobile antivirus detection and maintain longer persistence on victim devices.
Who’s Behind It?
Evidence from forum activity, linguistic patterns, and infrastructure analysis indicates that Russian-speaking threat actors are behind the operation. The malware was promoted on Russian-speaking cybercrime forums and private Telegram channels before its public release.
Real-World Impact
Security researchers have already detected active Albiriox infections and campaigns in the wild. One campaign specifically targeted Austrian victims using German-language lures and SMS messages with shortened links directing victims to convincing phishing sites. More recent campaigns have incorporated WhatsApp-based delivery systems, requiring victims to input phone numbers before receiving download links—with that data being sent directly to Telegram bots controlled by the attackers.
How to Protect Yourself
Given Albiriox’s sophisticated capabilities, prevention is critical:
Only download apps from official stores like Google Play and avoid sideloading APKs from unknown sources
Be extremely suspicious of apps requesting accessibility permissions, especially those claiming to be system updates
Never grant “Install Unknown Apps” permission unless you’re absolutely certain of the source
Keep your Android device updated with the latest security patches
Use mobile security software that can detect suspicious behavior
Be wary of unsolicited SMS messages containing links, even if they appear to come from legitimate brands
Watch for unusual behavior like unexpected permission requests or apps launching on their own
The Bigger Picture
Albiriox represents the latest evolution in Android banking malware, joining the ranks of other sophisticated threats like Xenomorph, Alien, and TeaBot. Its MaaS business model and ongoing development suggest it will likely gain traction among cybercriminals seeking efficient tools for high-impact mobile fraud.
Security experts warn that Albiriox’s accessibility-based VNC module and ability to operate within legitimate banking sessions make it particularly effective at bypassing traditional authentication and fraud detection mechanisms. As mobile banking continues to grow, threats like Albiriox highlight the urgent need for enhanced mobile security measures and user awareness.
The emergence of Albiriox should serve as a wake-up call: your smartphone is a prime target for sophisticated financial fraud, and the threat landscape is evolving faster than ever. Stay vigilant, stay updated, and think twice before granting those permission requests.
If you enjoy my posts and want to support my work, you can buy me a coffee
References
Cleafy Labs. (2024). “Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets.” https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets
The Hacker News. (December 2024). “New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control.” https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
Malwarebytes. (December 2024). “New Android malware lets criminals control your phone and drain your bank account.” https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account
SecurityWeek. (December 2024). “New Albiriox Android Malware Developed by Russian Cybercriminals.” https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/
Infosecurity Magazine. (December 2024). “New Android Albiriox Malware Gains Traction in Dark Web Markets.” https://www.infosecurity-magazine.com/news/android-maas-malware-albiriox-dark/