A new Android malware dubbed ‘Albiriox’ is being offered as a malware-as-a-service (MaaS) service. First spotted in late September 2025, the threat quickly evolved into a commercial service by October, advertising what developers call a “full spectrum” of tools for on-device fraud (ODF), screen manipulation, and real-time device interaction.
According to researchers at Cleafy, Albiriox embeds a hard-coded list of more than 400 targeted apps, including banking services, fintech tools, payment processors, crypto exchanges, digital wallets, and trading platforms. The malware is delivered via dropper apps spread through social engineering lures and concealed with packing techniques designed to evade static security scans.
Reserachers believe the operators are Russian-speaking, based on forum activity, language patterns, and infrastructure. Customers purchasing access to Albiriox receive a customizable builder that integrates with Golden Crypt, a third-party crypting service used to bypass antivirus and mobile security defenses.
At least one active campaign has targeted Austrian users, using German-language SMS messages containing shortened links to fake Google Play Store pages for popular apps such as PENNY Angebote & Coupons. Victims who click “Install” unknowingly download a dropper APK and are prompted to grant installation permissions under the guise of a system update, ultimately enabling the deployment of Albiriox.
Once activated, the malware communicates via an unencrypted TCP socket for command-and-control purposes, giving operators remote access through a VNC-based module. This enables threat actors to control the device, deploy blank or black screens for stealth, capture sensitive data, and adjust system volume to avoid detection. Albiriox also leverages Android's accessibility services to harvest UI data and supports overlay attacks that mimic system updates or login screens for credential theft.
Cleafy researchers also discovered a variant of the distribution chain that directs victims to a spoofed PENNY website, where they are prompted to enter an Austrian phone number to receive a WhatsApp download link. These numbers are then siphoned to a Telegram bot.
Earier this month, researchers at Certo detailed another MaaS Android tool called RadzaRat advertised on underground forums. The malware masquerades as a file management utility before deploying extensive surveillance and remote-access features.