Albiriox Attacks More than 400 Android Applications and Takes Control of User Screens

Cybersecurity threats on Android devices have increased again with the presence of Albiriox, a new malware marketed through a malware-as-a-service (MaaS) model.

Different from Android trojans in general, Albiriox is designed to carry out on-device fraud (ODF), take control of the screen, and monitor device activity in real time.

With advanced manipulation capabilities and a very broad application target, Albiriox is one of the biggest threats that Android users must be aware of.

Structured Attack Targeting Over 400 Financial Applications

Reporting from Hacker News (01/12/25)Cleafy’s research results reveal that Albiriox has a target list of more than 400 applications, ranging from banking applications, digital wallets, fintech lending, crypto exchanges, to investment platforms.

A list embedded in this code indicates that Albiriox’s primary goal is to steal sensitive data and carry out acts of financial fraud directly from victims’ devices.

To spread, perpetrators use application droppers packaged using social engineering techniques. Victims were directed to download imitation applications that looked like official applications from the Google Play Store via SMS messages, fake websites, and offline German language campaigns targeting users in Austria.

Once the user presses the Install button on the fake page, the APK dropper is compromised and immediately requests permission for further installation under the guise of a system update.

Professional Hacker-style Device Control Technology

Albiriox works over an unencrypted TCP socket connection as a command-and-control (C2) path. This channel allows perpetrators to send commands to:

• controlling devices via Virtual Network Computing (VNC),
• displays a black screen or blank screen so that malicious activity is not detected,
• raise or lower the volume to disguise malicious processes,
• access sensitive user data.

One of the most striking features is a VNC-based remote access module that takes advantage of Android’s accessibility services.

Through this mechanism, perpetrators can see all device interface elements without being hindered by FLAG_SECURE protection, a feature commonly used by banking applications to prevent screenshots or screen recording.

In other words, Albiriox is able to “peek” at the full screen without triggering the security system.

Similar to other banking trojans, Albiriox also supports overlay attacks, namely a technique of displaying a fake display on top of the original application to steal usernames, PINs, OTPs, or other credentials.

In addition, malware can also display fake system updates or black screens so that perpetrators can carry out fraudulent activities behind the scenes without users realizing it.

In some campaigns, users were directed to a fake site that resembled a European supermarket’s promo page. Here, the victim is asked to enter a phone number to receive a download link via WhatsApp. The telephone number data was even sent to the perpetrator’s Telegram bot.

Not Alone: ​​RadzaRat and BTMOB Also Emerge as New Threats

The emergence of Albiriox coincided with the birth of another MaaS tool called RadzaRat, which masquerades as a file manager application.

Even though it looks simple, RadzaRat has the ability to carry out total monitoring, starting from accessing system files, downloading data, recording typing, to controlling devices remotely using Telegram as a C2 channel.

The developer, known as Heron44, promotes the malware as a tool that is easy to use even by beginners, a sign that cybercrime is becoming more accessible.

On the other hand, BTMOB malware has also reappeared via a fake Google Play page for an application entitled “GPT Trade”. This malware is famous because it uses accessibility services to unlock devices, steal credentials, and automate fraudulent actions.

The growing number of MaaS-based malware such as Albiriox and RadzaRat indicates a new trend: access to advanced malware is now much cheaper and easier, resulting in an increasing threat to both general and enterprise users.