Albiriox: New Android Malware Targeting 400+ Financial Apps with Full Device Control

A new Android malware called Albiriox has been discovered, and security experts warn that it is one of the most advanced threats targeting banking and crypto users today. It works as a “Malware-as-a-Service,” where cybercriminals pay a subscription to use it. Researchers first saw signs of Albiriox around September 2025 in private underground forums. Soon after, it became publicly available for criminals to rent.

Albiriox is extremely dangerous because it gives attackers complete remote control over infected phones. It uses a VNC-style system that shows the victim’s screen to the attacker in real time. This allows criminals to tap, type, open apps, and perform actions exactly like the phone owner. Everything happens silently, without the user noticing anything unusual.

The malware also uses powerful overlay techniques to trick victims. It can display fake screens on top of real banking or crypto apps, capturing passwords and approvals. Since the fraud occurs inside genuine app sessions, many security systems fail to detect it. This makes Albiriox capable of bypassing normal protections, including some forms of two-factor authentication.

Researchers found that Albiriox contains a hard-coded list of more than 400 targeted apps. These apps include banks, fintech services, payment platforms, crypto exchanges, and digital wallets from around the world. This wide targeting shows the malware was built for large-scale financial fraud. Its global reach makes it a serious threat to millions of users.

The infection usually begins through social engineering. Attackers send fake messages through SMS or WhatsApp, or create convincing webpages that imitate real services. These pages push users to download a “dropper” app, which looks harmless on the surface. Once installed, this dropper delivers the actual Albiriox malware onto the phone.

To stay hidden, Albiriox uses heavy obfuscation and packing tools that make it difficult for antivirus programs to detect. One of the tools used in its distribution is known as “Golden Crypt,” which helps hide the malware’s code. After installation, the malware connects directly to the attacker through an unencrypted connection. This allows continuous control without interruption.

Once active, the attacker can remotely navigate the phone, open apps, read messages, and even blank the screen to hide their actions. The malware can also automate clicks, swipes, and text input, allowing quick execution of fraudulent transactions. Because everything happens on the victim’s device, it becomes harder for banks to identify the fraud. This makes Albiriox especially effective and dangerous.

Experts advise users to take simple but important precautions to protect themselves. Avoid installing apps from unknown links or outside official app stores. Do not grant Accessibility permissions or “Install unknown apps” permissions to unfamiliar applications. Use secure authentication methods and monitor banking alerts closely. With threats like Albiriox growing, staying cautious is the best defence.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news