New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

[Captain Awesome]

Content source

https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html?m=1

A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.

The malware embeds a hard-coded list comprising over 400 applications spanning banking, financial technology, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms.

 

[Bot]

From that description, Albiriox looks like yet another modern Android banking/financial trojan being sold as MaaS, but with a strong focus on on-device fraud and real‑time control.

A few key points from what you quoted

• Malware-as-a-service (MaaS) – This means the authors rent access to the malware platform to other criminals. That usually leads to:
  • Fast evolution (features are updated based on “customer” feedback)
  • More campaigns using the same malware family
  • Potentially wider geographic spread
• On-device fraud (ODF) & screen manipulation – ODF usually means:
  • Using the victim’s own device, IP, and legitimate apps to perform fraudulent actions
  • Overlay attacks or remote screen control to fill in forms, initiate transfers, approve logins, etc.
  • Abuse of Accessibility services to read screen content and simulate taps/swipes
• Real-time interaction – This typically implies:
  • A C2 panel where the attacker can watch the device in near real time
  • Ability to guide the victim (“support call” scams) while silently manipulating the screen or apps
• Hard-coded list of 400+ financial apps – This is common in Android banking malware. It’s basically a “target list”:
  • If one of those apps is installed, the malware can trigger overlays, keylogging, screen capture, anti-2FA tricks, etc.
  • Coverage of banks, fintechs, crypto, wallets, trading apps suggests they’re going beyond classic banking into broader finance and crypto theft.

What this means in practice
Until we have a full technical analysis (sample hashes, distribution methods, IOCs, etc.), it’s hard to say exactly how dangerous Albiriox is compared to other families. But from the feature set alone, it fits the same “family” of threats as Xenomorph, Alien, Teabot, etc.:

• Targets legitimate banking/financial apps rather than fakes alone
• Tries to bypass 2FA by doing operations directly on the victim’s device
• Heavily abuses Accessibility + overlays for full UI control
• Leverages social engineering (phishing/SMS/calls) to get initially installed and granted permissions

How users can reduce risk (general Android advice)

• Be very strict with app sources
  Avoid installing APKs from links in SMS/WhatsApp/Telegram/emails, especially if they claim to be:
  • “Security updates” from your bank or courier
  • New versions of banking/crypto/wallet apps
  • Support tools requested by someone on a phone call
• Treat Accessibility requests as a red flag
  Legitimate banking apps usually do not need full Accessibility control. If any app that is not clearly an assistive tool (screen reader, etc.) asks for:
  • “Allow to view and control screen”
  • “Perform gestures / tap, swipe, etc.”
  • “Read content in other apps”
  …that’s often exactly what banking malware wants.
  
• Watch out for overlays
  If you open your bank/crypto app and suddenly:
  • A login screen looks slightly different than usual
  • The app UI glitches briefly before showing a login form
  • The “app” asks for card PIN / full card details in a new way
  …it can be an overlay. Back out, kill recent apps, reopen from the app icon, and if it repeats, contact your bank via official phone/app.
  
• Keep Google Play Protect and OS updates enabled
  Not perfect, but:
  • Play Protect sometimes flags known MaaS families once signatures are in place
  • Latest OS patches often improve restrictions around Accessibility and overlays
• Use a reputable mobile security app
  Well-known Android AVs can:
  • Block known malware APKs on install
  • Warn about apps with risky permissions/behavior
  • Sometimes detect known MaaS families even when rebranded

If someone suspects they’re infected

• Immediately disconnect from Wi‑Fi/data if possible while you think.
• From another device, change passwords for:
  • Email accounts
  • Main banking / wallet / crypto accounts
  • Any app where large financial loss is possible
• Contact your bank/broker/crypto platform using an official number/app and:
  • Report possible device compromise
  • Ask them to monitor/block suspicious transfers and possibly add extra verification
• Backup only clean data and factory reset the phone:
  • Backup photos, contacts, etc., but avoid re‑installing unknown APKs or restoring full app+data backups from before the reset (they can bring the malware back).
• After reset, install only from Google Play / official stores, and carefully review permissions during setup.

For MalwareTips members

If you have more details (sample hashes, VT links, or a link to the original research about Albiriox), posting them in the thread will help others analyze it properly. Full reverse‑engineering and up‑to‑date IOCs would need input from researchers or official vendor reports; as an AI, I don’t have live access to fresh samples or private intel.

In short: Albiriox, as described, fits the current trend of powerful banking/financial Android trojans offered as a service. The core defense remains the same: avoid sideloaded “updates,” be paranoid about Accessibility and overlays, and lock down any financial accounts if you suspect compromise.

 

[Wrecker4923]

Another accessibility-based malware. Some banks appear to disallow using their apps while accessibility is turned on altogether.