A new Android malware family called Albiriox is being sold under a malware-as-a-service model, offering extensive capabilities for on-device fraud, real-time device control, and screen manipulation. It targets more than 400 financial and cryptocurrency apps and spreads through dropper apps delivered via social engineering and obfuscation techniques.

First advertised in late 2025, Albiriox appears to be operated by Russian-speaking threat actors. Buyers receive a custom builder that integrates with the Golden Crypt crypting service to evade mobile security tools. Early campaigns have already targeted Austrian users through fake Google Play pages and SMS lures that install a dropper disguised as a routine software update.

Once installed, the malware gains broad permissions, establishes an unencrypted TCP C2 channel, and deploys a VNC-based remote access module. By abusing Android accessibility services, it bypasses FLAG_SECURE limitations, enabling attackers to view protected banking screens, harvest credentials, and execute fraudulent transactions unnoticed.

Albiriox also performs overlay attacks, shows fake system update screens, and uses alternative distribution methods such as spoofed retail websites that collect phone numbers and deliver malicious links via WhatsApp. Its combination of VNC control, accessibility abuse, and credential harvesting reflects the core traits of modern on-device fraud malware.

Its emergence coincides with new MaaS offerings such as RadzaRat, a fake file manager that enables extensive surveillance, file exfiltration, keystroke logging, and persistent background control. Other campaigns continue to leverage spoofed Google Play pages, adult-content lures, and highly obfuscated delivery chains to push malware like BTMOB and UASecurity Miner, underscoring a widening ecosystem of advanced Android threats.