Ethical Hacking News
A new Android malware named Albiriox has been unleashed on the global market, targeting over 400 apps across various sectors including banking and financial technology. The malicious software-as-a-service (MaaS) model leverages advanced techniques such as dropper applications and packing to evade static detection, while also bypassing traditional authentication and fraud-detection mechanisms. With its extensive surveillance and data exfiltration capabilities, Albiriox poses a significant threat to individual users and organizations alike.
Albiriox is a new Android malware that targets over 400 apps across various sectors, posing a significant threat to individual users and organizations.The malware uses advanced techniques like dropper applications and packing techniques to evade static detection and embeds a list of targeted apps.The threat actors behind Albiriox are believed to be Russian-speaking individuals who offer a custom builder to bypass antivirus and mobile security solutions.The ultimate goal is to gain control over mobile devices and conduct fraudulent actions without detection.Albiriox uses accessibility services to bypass Android's FLAG_SECURE protection and obtain a complete view of the interface, enabling attackers to carry out malicious activities.The malware also installs a VNC-based remote access module that allows threat actors to remotely interact with compromised phones.Researchers describe Albiriox as a "significant threat" due to its extensive surveillance and data exfiltration capabilities.
The threat landscape for mobile devices has taken a drastic turn with the emergence of a new Android malware known as Albiriox. This malicious software-as-a-service (MaaS) model, which targets over 400 apps across various sectors including banking and financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms, poses a significant threat to individual users and organizations alike.
According to researchers at Cleafy, Albiriox leverages advanced techniques such as dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection. The malware embeds a hard-coded list of over 400 applications that it can manipulate, including those used for financial transactions and data storage.
The threat actors behind the Albiriox MaaS are believed to be Russian-speaking individuals based on their activity on cybercrime forums, linguistic patterns, and infrastructure usage. Prospective customers have access to a custom builder that integrates with a third-party crypting service known as Golden Crypt, allowing them to bypass antivirus and mobile security solutions.
The ultimate goal of the attacks is to gain control over mobile devices and conduct fraudulent actions without detection. The malware uses an unencrypted TCP socket connection for command-and-control (C2) communications, enabling threat actors to issue various commands remotely, extract sensitive information, serve black or blank screens, and manipulate volume levels to achieve operational stealth.
One of the most concerning features of Albiriox is its use of accessibility services, which allows it to bypass Android's FLAG_SECURE protection and obtain a complete view of the interface without triggering any protections. This capability enables attackers to carry out malicious activities such as overlay attacks against target applications for credential theft.
The malware also installs a VNC-based remote access module that allows threat actors to remotely interact with compromised phones, including using Android's accessibility services to display all user interface and accessibility elements present on the device screen.
Researchers at Certo have described Albiriox as "a significant threat" due to its extensive surveillance and data exfiltration capabilities, which make it a menace to both individual users and organizations. The findings come as fake Google Play Store landing pages for an app named "GPT Trade" ("com.jxtfkrsl.bjtgsb") have distributed the BTMOB Android malware and a persistence module referred to as UASecurity Miner.
Additionally, social engineering lures using adult content have underpinned a sophisticated Android malware distribution network that delivers a heavily obfuscated malicious APK file requesting sensitive permissions for phishing overlays, screen capture, installing other malware, and manipulating the file system. This malware employs a resilient, multi-stage architecture with front-end lure sites that use commercial-grade obfuscation and encryption to hide and dynamically connect to a separate backend infrastructure.
The distribution of Albiriox MaaS is believed to be linked to another Android MaaS tool codenamed RadzaRat that impersonates a legitimate file management utility, only to unleash extensive surveillance and remote control capabilities post-installation. This development reflects a troubling democratization of cybercrime tools, as researchers at Certo's Sophia Taylor noted.
The emergence of Albiriox MaaS serves as a stark reminder of the evolving threat landscape for mobile devices and the importance of robust security measures to protect against such sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Albiriox-MaaS-Malware-Unleashes-Global-On-Device-Fraud-Attacks-ehn.shtml
https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
Published: Mon Dec 1 03:28:16 2025 by llama3.2 3B Q4_K_M
