A new Android malware called Albiriox has appeared on the cybercrime market under a malware as a service (MaaS) model, offering extensive tools for on device fraud (ODF), real time device manipulation, and remote screen control. The malware includes a hard coded list of more than 400 targeted apps, covering banking, fintech, payment platforms, crypto exchanges, wallets, and trading apps.
According to Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia, Albiriox is distributed through social engineering dropper apps that use packing and obfuscation techniques to bypass static malware detection. The malware was initially advertised during a “limited recruitment phase” in September 2025 before expanding into a full MaaS offering. Evidence suggests the operators are Russian-speaking, based on forum behavior, language clues, and backend infrastructure.
Customers of the malware are given access to a builder tool integrated with Golden Crypt, a third party crypting service designed to evade antivirus and mobile security tools. The attackers’ objective is to gain stealthy control of infected devices and perform fraudulent activities without detection. At least one early campaign targeted Austrian users, using German language SMS lures containing shortened URLs leading to fake Google Play Store pages mimicking apps such as PENNY Angebote & Coupons.
Victims who click “Install” on these pages unknowingly download a dropper APK. After launching, the app prompts users to grant permissions to “install updates,” which silently deploys the primary malware. Albiriox relies on an unencrypted TCP socket for command and control, allowing attackers to remotely control devices via VNC, extract sensitive data, blank the screen, or modify volume for stealth operations.
The malware installs a VNC based remote access module, with one version using Android Accessibility Services to view all UI elements. This method bypasses FLAG_SECURE, a protection that blocks screenshots and screen recording in banking and crypto apps. By using accessibility based screen streaming, the malware gains full visibility of sensitive app interfaces without triggering protections.
Albiriox also performs overlay attacks on its extensive list of targeted apps to steal credentials. It can present fake system updates or black screens to hide background activity. Cleafy also observed a variant that redirects users to a fake PENNY website, where victims must enter their phone number to receive a supposed download link via WhatsApp; these numbers are exfiltrated to a Telegram bot.
Cleafy notes that Albiriox has all the hallmarks of modern ODF malware: VNC remote control, automated accessibility-based interaction, targeted overlays, and dynamic credential harvesting, enabling attackers to bypass authentication by acting directly inside a victim’s legitimate session.
The Albiriox disclosure coincides with the appearance of RadzaRat, another Android MaaS tool. Marketed on underground forums since November 8, 2025, RadzaRat masquerades as a legitimate file manager before enabling extensive surveillance and remote access features. Certo researcher Sophia Taylor noted that its developer, “Heron44,” advertises it as easy to deploy even for inexperienced cybercriminals, reflecting the growing democratization of cybercrime tools.
RadzaRat allows attackers to browse files, search directories, exfiltrate data, log keystrokes, and communicate via Telegram-based C2. It maintains persistence using BOOT_COMPLETED permissions, a custom BootReceiver, and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to avoid Android’s background restrictions. Its disguise as a functioning file manager makes it dangerous for both individuals and organizations.
The findings also connect to recent campaigns distributing BTMOB Android malware through fake Google Play pages for an app called GPT Trade. BTMOB, documented earlier in 2025, abuses accessibility services for device unlocking, keystroke logging, credential theft, and remote control.
Separately, social engineering schemes using adult content lures have delivered heavily obfuscated malicious APKs capable of phishing overlays, screen capture, file manipulation, and secondary malware installation. Palo Alto Networks Unit 42 reports that these campaigns use multi-stage architectures, commercial-grade obfuscation, and behavioral checks such as measuring image load times to evade detection systems.
