New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

Albiriox is a newly discovered type of android malware marketed as "malware-as-a-service" (MaaS). Its purpose is to provide its users with all the tools necessary for committing fraudulent activities via the user's own device (ODF), including remotely controlling the infected device while manipulating its screen in real time.

A coded list of at least 400 distinct applications was embedded into the malware, including banks, fintech companies, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.

According to Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia, this malware is delivered to its targets using "dropper-style" applications which are spread using social engineering methods and packing techniques to conceal them from detection.

Albiriox was initially advertised during a short period of recruitment at the end of September 2025 and was then transitioned into a MaaS-model in late October 2025. The individuals or groups responsible for developing and deploying this malware appear to have based their activities primarily in Russian-speaking areas based on the communications and behaviours observed on cyber criminal forums and their linguistic patterns and the digital infrastructure that they use.

According to the developers, potential clients will be able to utilize a customized software program in the future, integrated with a third-party program "Golden Crypt" to conceal any malicious activity that may occur on the user's mobile device and bypass any security systems (such as anti-virus and mobile phone security) that may prevent fraudulent activities.

The ultimate objective of the attempted attacks is to gain control over personal mobile devices and perform fraudulent transactions without being detected. At least one campaign initially targeted victims from Austria using German language phishing tactics (via SMS with a shortened URL) directing people to a fraudulent app listing for the PENNY Angebote & Coupons app on the Google Play Store.

If the user, unaware of the fraudulent nature of the app, clicked on the "Install" button from the counterfeit app listing, his or her mobile device would then be compromised by means of a dropper package (APK). After the APK was installed and launched, the user would then be asked to allow the app to install other apps as part of a software update. This would consequently result in the ultimate loading of the primary malware.

Albiriox uses a non-encrypted TCP socket-based command and control (C2) protocol that allows threat actors to remotely issue various commands via Virtual Network Computing (VNC) in order to control the device(s) and collect sensitive information, as well as to display black screens or blank screens, increase/reduce sound and make the malware less conspicuous.

Albiriox also provides a VNC-based remote access component that enables threat actors to interact with compromised devices remotely. One version of Albiriox's VNC-based interaction mechanism leverages Android's accessibility services to obtain data on the screen in order to capture all user interface and accessibility components.

Researchers noted, "This approach to streaming information using accessibility services is intended to circumvent restrictions to TARGETS' screens imposed by Android's FLAG_SECURE feature."

"Many new mobile banking programs and cryptocurrency wallets now include functionality to disable the ability for users to take screenshots or use screen recording functionality, preventing access to screen content when screen recording is enabled using other methods. However, with accessibility services enabled, malware infections can gain access to screens with complete information and will not trigger the protections associated with traditional screen capture methods."

As with other Android malware for banking use, Albiriox can create overlay attacks against a specific target application(s) to gain access to users' user credentials. Additionally, Albiriox can also act as a malicious overlay and masquerade itself as either system upgrade or "Black Screen." In this case, malicious actions can be completed without drawing attention.

Cleafy has also observed a slightly different method of distribution being used for this type of malware, with an emphasis on distributing the malware through deceptive methods to fake PENNY websites, in which victims are directed to enter their telephone number in return for a download link to the malware through WhatsApp. At present, the site accepting telephone numbers is only accepting numbers from Austria. The entered numbers will be sent to a Telegram bot for extraction.

According to Cleafy, Albiriox demonstrates all standard characteristics of ODF Malware. "Cleafy said that Albiriox utilizes VNC technology for remote control, uses automated Accessability to execute actions, creates targeted overlays for users, and collects dynamic credentials from users."

At the same time as the announcement of Albiriox, a new provider of Android MaaS tools being referred to as RadzaRat was announced as well. RadzaRat masquerades as a standard file manager application that will eventually be used to perform significant surveillance and remote control of users after they install the application. RadzaRat has been promoted on underground cybercrime forums since November 8th, 2025.

The developer of RadzaRat, calling himself "Heron44," presents RadzaRat to be an "easy to use remote access" tool that anyone with limited technological knowledge can use. The manner in which RadzaRat is marketed suggests a negative trend toward creating easier access to develop cybercriminal activities.

A core function of RadzaRat is its ability to control file access and file systems remotely. Cybercriminals using RadzaRat can view the contents of the device's file system, find specific files within the file system, and download files from the device. Cybercriminals can also utilize Microsoft's Accessibility Services to log the keystrokes of users and use Telegram as their Command and Control (C2) channel.

Persistence is achieved by the malware through an appropriate combination of permissions (RECEIVE_BOOT_COMPLETED and RECEIVE_LOCKED_BOOT_COMPLETED) and a dedicated BootReceiver component to automatically start when a user restarts their device. The malware also attempts to use the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission to ensure it can operate in the background without being affected by Android's battery optimization features.

"The malware's ability to hide as a bona fide file manager, along with its extensive capabilities for monitoring and stealing personal information about its victims, places it among the biggest threats to not only individuals but also companies," Certo stated.

The findings come on the heels of a widespread distribution of the BTMOB Android malware through a number of fraudulent Google Play landing pages for a malicious app called "GPT Trade" (com.jxtfkrsl.bjtgsb) and the use of an associated persistence module named UASecurity Miner. The BTMOB malware is identified as first documented in February 2025, and is capable of utilizing Accessibility Services for performing unlocking, capturing keystrokes, automating credentials theft by way of injections and controlling devices remotely.

A sophisticated, multilayered social engineering scheme has been used to distribute heavily obfuscated Android malware that uses adult-themed content to lure users into downloading the APK file. The APK file also requests sensitive permissions for phishing overlays, capturing screenshots, downloading other malware and taking control of a user's file system.

Palo Alto Networks Unit 42 said "it uses a flexible, multi-level structure consisting of front-end lure websites that utilize commercial-grade encryption and obfuscation techniques to conceal themselves and their connections to a separate back-end infrastructure through dynamic means. The front-end lure sites will also provide users with misleading loading messages and perform a variety of checks; one such check will be the elapsed time from initiation of the loading process to when the image has fully loaded, where the goal of these checks is to be obfuscated and have less chance of being identified."