Android malware crews have moved far past simple banking trojans. The new trend is on device fraud. Full device takeover. Real time interaction inside your legitimate banking session. Albiriox is the latest proof that the threat landscape is getting nastier and more industrialised.
Albiriox is sold as a malware as a service kit. Anyone with money can buy it. The operators advertise it as a full spectrum toolset for device control, credential theft and fraud automation. It ships with a hard coded target list covering more than 400 financial apps. Banks, fintechs, crypto exchanges, payment processors and trading platforms. The entire financial attack surface is covered.
The delivery chain is exactly what you would expect in 2025. Fake Google Play Store pages. SMS lures. German language bait for Austrian victims. Users hit the Install button on a page that looks real enough to fool most people. They get a dropper APK that immediately asks for permission to install other apps. Once granted, the real payload arrives and the device is owned.
The command and control channel is an unencrypted TCP socket. Simple and ugly. It allows the operators to push commands, siphon data and take interactive control using a VNC module. They can black out the screen, lower volume and hide activity. The victim sees nothing. The criminal sees everything.
The most dangerous part is how it defeats Androids protections. Modern financial apps use FLAG_SECURE to block screenshots and screen recording. Albiriox sidesteps this entirely by abusing accessibility services. Instead of capturing the pixel buffer, it crawls the UI tree and reads every element directly. Every button. Every field. Every number. The security flag means nothing.
The malware also supports overlay attacks. Fake login screens. Fake system update prompts. Black screens designed to keep the user occupied while fraud happens behind the scenes. All the classics. All automated.
Researchers have seen alternate distribution methods too. One campaign used a fake PENNY site that demanded a phone number in order to send a WhatsApp download link. Only Austrian numbers were accepted. Every number entered was streamed straight into a Telegram bot controlled by the attackers.
Albiriox is not alone. Another MaaS kit, RadzaRat, is being pushed at the same time. It pretends to be a file manager and ships with remote file access, directory browsing, keystroke logging and Telegram based command and control. It uses RECEIVE_BOOT_COMPLETED to relaunch after reboot and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to stay alive indefinitely.
There is also a steady stream of fake Google Play pages pushing BTMOB and UASecurity Miner. These abuse accessibility services to unlock devices, harvest credentials and drive remote control. Other campaigns hide behind adult content lures and heavily obfuscated front ends that test network timing to avoid analysis.
Androids problem is simple. Accessibility services give malware the exact same surface area that legitimate automation tools rely on. Once granted, the device stops being the users device. It becomes an interactive terminal for the operator. Antivirus does not stop it. Play Store policies do not stop it. The only real protection is to avoid sideloading, lock down permissions and stop trusting random links.
On device fraud is the new standard because it works. It is not a phishing problem. It is not a password problem. It is a full session takeover problem. When malware operates inside your own banking session, none of the old layers of defence matter. If criminals can see your screen and press your buttons, the game is over.
Harden the device. Treat every unsolicited link as hostile. Never grant accessibility permissions to anything that is not essential. Android security is being tested by attackers who no longer aim for your credentials. They aim for your entire session.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is Albiriox
A new Android malware sold as a MaaS kit with full device control and credential theft abilities.
How does Albiriox bypass FLAG_SECURE
It uses accessibility services to read UI elements directly instead of capturing the screen.
What apps does Albiriox target
Over 400 banking, fintech, crypto wallet, trading and payment apps.
How is Albiriox delivered
Through fake app store pages, social engineering and malicious dropper APKs.
How can users protect themselves
Avoid sideloading, verify app sources, restrict accessibility permissions and use hardened Android devices.