The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Albiriox Android Malware

Dec 8, 2025 1:43:05 PM / by The Hivemind

ALBIRIOXANDROID2025Verticals Targeted: Financial, Cryptocurrency
Regions Targeted: Austria, Global
Related Families: None

Executive Summary

Albiriox is a newly launched Android Malware-as-a-Service (MaaS) operated by Russian-speaking threat actors that entered public availability in October 2025. Designed explicitly for On-Device Fraud, the malware combines a fully functional VNC-based remote access capability with an evolving overlay attack module, enabling complete real-time takeover of infected devices and direct manipulation of legitimate banking and cryptocurrency applications. 

Key Takeaways

  • Albiriox employs a two-stage delivery chain: an obfuscated dropper (JSONPacker technique) distributed via social-engineering lures, followed by dynamic installation of the final payload after obtaining “Install Unknown Apps” permission.  
  • Core remote control is achieved through Accessibility-service VNC (AcVNC), providing real-time screen streaming and UI interaction while bypassing Android FLAG_SECURE protections used by most banking apps.  
  • The malware targets more than 400 financial and cryptocurrency targets worldwide and supports both generic and application-specific overlay attacks for credential theft.  
  • Distributed as a MaaS with a custom builder integrating Golden Crypt crypting service, Albiriox is marketed on Russian-language underground forums with monthly pricing starting at $650 USD.

What is Albiriox?

Cleafy researchers have documented Albiriox, a newly launched Android Malware-as-a-Service (MaaS) operated by Russian-speaking threat actors. In late September 2025, the threat actors began recruiting beta testers for a new Android banking trojan on exclusive Telegram channels and high-reputation cybercrime forums. By mid-October the project had matured into a publicly available Malware-as-a-Service under the name Albiriox. Linguistic indicators, forum activity, and infrastructure telemetry all point to Russian origin.

Albiriox is engineered from the ground up for On-Device Fraud (ODF). Its primary infection vector observed to date uses German-language SMS lures targeting Austrian users, directing victims to counterfeit Google Play pages or multi-step phishing kits that ultimately deliver a dropper masquerading as the legitimate Penny Market application. The dropper immediately presents a fake system-update prompt to coerce the victim into granting permission to install apps from unknown sources. Once granted, it unpacks and installs the final Albiriox payload using the JSONPacker dynamic loading technique, significantly complicating static detection.

After installation, Albiriox requests extensive Accessibility Service permissions, which is the cornerstone of its remote control capability. The malware implements a dual-mode VNC system: traditional screen capture and an Accessibility-driven stream that exposes UI node trees even when banking applications enable FLAG_SECURE. Operators can switch between modes inside the web panel and issue fine-grained commands including click, swipe, text input, keylogging, application launch, and screen blanking. A persistent unencrypted TCP socket with JSON-based protocol and ping/pong heartbeat ensures reliable command-and-control.

Complementing the RAT functionality is an overlay attack framework. Although still under active development, current builds ship with generic overlay templates plus specialized screens that operators can trigger during live sessions to hide fraudulent activity from the victim. The target list, extracted from a dedicated AppInfos class, exceeds 400 packages covering traditional banks, neobanks, cryptocurrency exchanges, and digital wallets across dozens of countries.

To improve initial deployment success, the MaaS package includes a builder that pipes compiled APKs through Golden Crypt, a commercial cryptor widely advertised on the same forums. This additional obfuscation layer helps the dropper and payload evade signature-based mobile security products long enough to reach the Accessibility-enabled stage.

Albiriox joins the latest generation of ODF-focused Android trojans that prioritize full device takeover and real-time interaction over traditional credential stuffing or SMS interception. Its rapid transition from private beta to commercial service, combined with ongoing feature expansion, indicates the family will become a prevalent tool for financially motivated actors in the coming months. PolySwarm analysts consider Albiriox to be an emerging threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

070640095c935c245f960e4e2e3e93720dd57465c81fa9c72426ee008c627bf3

5e14181839816bbb4b55badc91f29d382e8d6f603eec2ed8f8b731c35def6b59

630b047722d553495def3b8e744f2f621209e1a77389c09a9a972eeb243f9ed8

a0c9d6eb1932c96a11301c00cf96ce9767fb11401e090f215f972df06b09a878


Click here to view all samples of Albiriox in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Emerging Threat, on-device fraud, overlay attacks, Android banking trojan, MaaS Malware, Mobile RAT, Android Overlay Attacks, Golden Crypt, Albiriox, Russian-speaking Threat Actors

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More