At a Glance
| Malware family | Albiriox (Android banking RAT, sold as Malware-as-a-Service), delivered by a UniCredit-branded dropper |
|---|---|
| Threat actor | Unattributed operator; Albiriox is sold on Russian-speaking forums (per Cleafy); Italian-themed build |
| Target / victims | Italian bank customers; UniCredit brand abused; no victim count disclosed |
| Delivery vector | Fake reward landing page to a Telegram bot to manual APK sideload |
| Key capabilities | Accessibility abuse, overlays, SMS and OTP interception, VNC-like remote control, anti-uninstall |
| Source | D3Lab (background from Cleafy Labs) |
TL;DR
D3Lab found a fake UniCredit reward page pushing an Android banking trojan. The lure promised $100 to install an app and $50 for each friend referred. Behind it sits Albiriox, a rent-to-own remote-control malware that hijacks phones and drains bank accounts.
Delivery
D3Lab’s Brand Monitor flagged a lookalike UniCredit domain, unicredit-tme[.]shop, registered on July 8, 2026. The page promised a cash reward and showed a download button. Rather than an app store, that button pushed victims to a Telegram bot.
The bot ran the social-engineering flow. It offered $100 to install the app and $50 for each referral, which turned the scam into referral-driven distribution. No official store was involved, so victims sideload the APK after enabling installs from unknown sources. The mix works because it stacks three things: a trusted brand, a cash lure, and a chat that answers doubts in real time.
Infection Chain
The downloaded APK is a dropper. It wears UniCredit branding, but it exists to unpack a second stage. Notably, D3Lab found the payload “is not downloaded from the Internet at runtime.” It hides inside the first APK, split across decoy files with fake image extensions, then rebuilt on the device through AES decryption and GZIP.
This self-contained design removes a second network fetch that defenders could block. On install, the payload requests Accessibility, overlays, SMS access, notification access, and boot persistence. Accessibility is the key permission. It lets the malware read the screen, tap buttons, and auto-approve prompts.
Albiriox capabilities
The second stage is Albiriox, an Android banking trojan sold as Malware-as-a-Service on Russian-speaking forums. Cleafy first documented it in late 2025 and says it targets more than 400 banking, fintech, and crypto apps. It rents for roughly $650 a month, which puts device-takeover fraud within reach of low-skill criminals.
Once active, the Albiriox malware registers an Accessibility service and hands the operator live control. It streams the screen VNC-style, shows fake login overlays, and captures PINs, patterns, and passwords. It also reads SMS and one-time codes, and it resists removal. D3Lab links this build to Albiriox through a known-sample comparison, a matching protocol, and the project’s Telegram posts, calling it “a likely customized and obfuscated Albiriox build.”
Command and Control and Data Theft
The Albiriox malware skips HTTP. Instead, it opens raw TCP sockets and trades JSON messages, each framed with a four-byte length prefix. Any.run flagged the same binary protocol on a non-standard port. Through that channel, the operator streams the screen, issues remote commands, and pulls credentials, SMS, and OTPs.
A country marker set to Italy confirms the local focus. Because the malware acts inside the victim’s own session, it can bypass MFA and approve transfers straight from the real device.
Defense and Detection
Never install banking apps from links. D3Lab urges users to “never install banking applications from links received through Telegram.” Use only official app stores and verified publisher accounts. Also treat any reward-for-install offer as a scam, especially when it asks you to allow unknown sources.
On the defense side, watch for apps that request Accessibility together with SMS and overlay permissions. Flag length-prefixed JSON over raw TCP to odd ports. Brand owners should hunt for lookalike domains too.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.