Full Report
A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency
Analysis Summary
# Tool/Technique: Albiriox
## Overview
Albiriox is a new Android malware advertised under a Malware-as-a-Service (MaaS) model. Its primary purpose is to facilitate on-device fraud (ODF), screen manipulation, and real-time remote interaction with infected devices by targeting over 400 applications across banking, finance, cryptocurrency, and payment sectors.
## Technical Details
- Type: Malware family (Android Trojan/RAT hybrid focusing on ODF)
- Platform: Android
- Capabilities: On-Device Fraud (ODF), screen manipulation (VNC), remote control, credential harvesting via overlays, information extraction.
- First Seen: Advertised in a limited recruitment phase in late September 2025, shifted to MaaS a month later (circa late October/November 2025).
## MITRE ATT&CK Mapping
*Note: Since Albiriox is a banking trojan acting as a Remote Access Tool (RAT) on mobile, mappings focus on execution, persistence, and interaction/exfiltration.*
- **TA0001 - Initial Access**
- T1457 - Drive-by Compromise (Via malicious app installation from fake store listings)
- **TA0002 - Execution**
- T1450 - Untrusted Execution (Via dropper applications)
- **TA0005 - Defense Evasion**
- T1472 - System Binary Proxy Execution (Potential use of legitimate system features/APIs for malicious ends)
- **TA0008 - Lateral Movement** (Not explicitly stated, but remote control enables this concept on the device)
- **TA0009 - Collection**
- T1438 - Account Credentials (Via overlay attacks)
- **TA0011 - Command and Control**
- T1571 - Non-Standard Port (Implied through custom TCP socket connection, though port specifics aren't given)
- **TA0012 - Lateral Movement** (N/A - Focus remains on the compromised device) - Replaced with MSR Tactic
- **TA0014 - Impact**
- T1563 - Data Destruction / Data Obfuscation (Not explicitly stated, but capabilities support fraud which is an impact)
- T1556 - Identity Spoofing (Through overlay attacks mimicking legitimate processes/apps)
## Functionality
### Core Capabilities
- **On-Device Fraud (ODF):** Execution of fraudulent transactions directly on the device.
- **Application Targeting:** Hard-coded list of over 400 target applications (banking, fintech, crypto exchanges, etc.).
- **Overlay Attacks:** Serving overlays (mimicking system updates or blank screens) for credential theft.
- **Remote Control (VNC):** Installation of a VNC-based remote access module for real-time interaction.
### Advanced Features
- **Accessibility Service Exploitation:** Uses Android's accessibility services to stream screen content, intentionally bypassing the `FLAG_SECURE` protection used by banking apps to block screen recording/capture.
- **Evasion Techniques:** Employs dropper applications and packing techniques to evade static detection.
- **Crypting Integration:** Allegedly integrates with the third-party crypting service "Golden Crypt" to bypass security solutions.
- **Stealth Operations:** Ability to serve black or blank screens and manipulate volume to hide malicious activities while operating in the background.
- **Exfiltration via Telegram Bot:** Phone numbers collected from victims via SMS lure redirection (Austrian campaign example) are exfiltrated to a Telegram bot.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the text)
- File Names: Dropper APKs distributed via social engineering lures.
- Registry Keys: N/A (Android platform)
- Network Indicators: Unencrypted TCP socket connection used for C2 communication.
- Behavioral Indicators: Prompts user to grant "install apps" permission under the guise of a software update; heavy reliance on Android Accessibility Services post-compromise.
## Associated Threat Actors
- Threat actors are suspected to be Russian-speaking, based on forum activity, linguistic patterns, and infrastructure used.
- Operates under a MaaS commercial model.
## Detection Methods
- Signature-based detection: Targets on known dropper hashes or the Albiriox payload signature.
- Behavioral detection: Monitoring for requests to enable Accessibility Services and subsequent screen capture/interaction attempts originating from the malware process, especially attempts to bypass `FLAG_SECURE`.
- YARA rules: Not explicitly mentioned, but could target strings related to VNC interaction or the known target application list fingerprint.
## Mitigation Strategies
- **User Education:** Caution against installing applications from links received via SMS or social media, especially if installation requires granting permissions via fake "software update" prompts.
- **App Sourcing:** Only install applications from official sources (Google Play Store).
- **Permission Review:** Regularly review Accessibility Service permissions granted on the device.
- **System Hardening:** Ensure Android OS and security patches are up-to-date, although ODF malware aims to bypass many standard protections.
## Related Tools/Techniques
- Other Android ODF Malware (e.g., Ru*guardrails mentioned in parallel context).
- Traditional Android Banking Trojans that utilize Accessibility Services (e.g., Cerberus, FluBot).