Ddos 
Malware Installation | Image: Cleafy
A sophisticated new Android banking trojan, dubbed “Albiriox,” has emerged from the cybercriminal underground, offering a potent suite of fraud tools to attackers as a paid service. First identified by the Cleafy Threat Intelligence team, the malware marks a dangerous evolution in mobile threats, combining advanced evasion techniques with the ability to take full control of victim devices.
Albiriox is not just a standalone malicious app; it is a commercial product. According to the report, “Albiriox is a newly identified Android malware family offered as a Malware-as-a-Service (MaaS), showing signs of active development and rapid iteration.”
The operation appears to be highly organized. It began with a private beta phase in September 2025, recruiting high-reputation members of cybercrime forums before launching publicly in October. The infrastructure and linguistic patterns found by researchers leave little doubt about its origin: “Evidence suggests the operation is managed by Russian-speaking Threat Actors (TAs)“. The service is reportedly rented out for approximately $650 to $720 per month.
One of the first observed campaigns targeted users in Austria using a clever social engineering lure. Attackers distributed the malware through a fake version of the “Penny Market” app, a popular supermarket chain in the region.
“The campaign targets Austrian victims explicitly, leveraging German-language lures and social engineering tactics consistent with the broader mobile banking threat landscape“. Once users installed the fake app to access “coupons,” the malware deployed a two-stage infection chain to evade detection and establish control.
Albiriox is designed for what researchers call On-Device Fraud (ODF)—the ability to execute fraudulent transactions from the victim’s own device to bypass banking security checks. “Albiriox exhibits the core features of modern Android Banking Trojans, enabling TAs to perform On-Device Fraud through remote control, screen manipulation, and real-time interaction with the infected device.”
Its most alarming feature is “AcVNC” (Accessibility VNC), a technique that allows attackers to view and control the screen even when apps try to block it. “This accessibility-based streaming mechanism is intentionally designed to bypass the limitations imposed by Android’s FLAG_SECURE protection.” This allows the malware to bypass the black screens typically used by banking apps to prevent screen recording.
While the initial campaign focused on Austria, the malware’s scope is global. Researchers found a hardcoded list of over 400 targets, “encompassing major banking and cryptocurrency applications worldwide.”
To stay hidden, the developers have integrated advanced obfuscation tools. “The inclusion of Golden Crypt within the builder pipeline suggests that the Albiriox operators are deliberately positioning the malware as a stealth-optimized product.”
Albiriox represents a significant leap in the commercialization of mobile fraud. By combining a professional “as-a-service” business model with advanced technical capabilities like AcVNC, it poses a severe threat to financial institutions and crypto users alike. As the report concludes, “Albiriox represents a rapidly evolving threat that exemplifies the broader shift toward ODF-focused mobile malware.”
Related Posts:
- Google Boosts Real-Time Protection Against Scams and Malware on Android Devices
- Android AI Scam Defense Blocks 10 Billion Monthly Threats; Users 58% More Likely to Avoid Scam Texts Than iOS
- Privacy First: Google’s AI Detects Fraud, No Cloud Storage
- Chrome 137 Uses On-Device Gemini Nano AI to Combat Tech Support Scams
Donate