A new Android malware known as Albiriox is raising a serious red flag for anyone who uses their phone for banking, payments, or cryptocurrency. Discovered in the fall of 2025, Albiriox quickly made its way into the global cyber-threat landscape, being sold as a MaaS — Malware-as-a-Service — offering.
Albiriox is a Remote Access Trojan (RAT) and banking trojan built to execute fraud directly on victims’ devices. As such, it goes far beyond stealing passwords: attackers can perform real transactions using the infected phone as if they were physically holding it. Its architecture is modular, with loaders, command modules, and a control panel tailored for financial and cryptocurrency apps worldwide.
It already includes an internal database of over 400 financial, payment, fintech, and crypto apps that it can inspect and exploit for fraud — a clear sign that it doesn’t target a single bank or country, but operates on a global scale.
Albiriox combines several advanced capabilities that let attackers control a phone as if it were in their own hands:
- Live remote control: the attacker receives the phone’s screen feed and can type or navigate in real time.
- On-device fraud: they can open banking or crypto apps, initiate transfers, and approve them using the victim’s own device, making authentication extremely difficult to detect.
- Abuse of accessibility services: the malware can automate taps, read on-screen content, and bypass certain security measures.
- Overlay attacks (in development): it may display fake login or verification screens on top of legitimate apps to steal credentials or authentication codes.
- Black-screen masking: during fraudulent operations, the victim sees a black or dummy screen so everything happens without visible signs.
Because of how it operates, attackers can often bypass multi-factor authentication (MFA) or device-based security checks.
And since Albiriox is sold as a MaaS service, attackers can distribute it in multiple ways: fake apps, links sent via SMS/WhatsApp, or websites impersonating official app stores.
How to protect yourself
- Install apps only from official sources (e.g., Google Play), avoiding links received via SMS, email, or messages.
- Check the app publisher, download count, and reviews before installing — especially for apps related to banking, investments, or payments.
- Pay close attention to the permissions an app requests: if it asks for accessibility services, SMS access, camera access, or administrator rights, verify whether the request is legitimate.
- Keep Android, Google Play Services, and your banking/crypto apps up to date to benefit from the latest security patches.
- Wherever available, enable multi-factor authentication, choose more secure methods (authentication apps, hardware tokens, etc.), and set up security alerts for your accounts — large transfers, new sign-ins, unknown devices, and so on.
Although the malware was initially detected in limited campaigns (Austria), its nature suggests it could soon become a real threat for users in Romania and other countries. As more people rely on their phones for payments, online banking, and investments, the risk becomes relevant for everyone.
Source: Malwarebytes
