Albiriox: New Android MaaS Uses VNC for Covert Remote Bank Fraud
Against the backdrop of a surge in schemes involving the remote manipulation of infected devices, a new tool for attacking Android has emerged on the cybercrime market. Threat-analysis firms report the appearance of several Malware-as-a-Service (MaaS) offerings that allow attackers to covertly control smartphones, execute operations within banking applications, and circumvent security mechanisms with alarming ease.
Albiriox has become one of the most prominent newcomers. Its developers offer a comprehensive suite of features for covert screen control, automated interaction, and data interception. Embedded within the malware is an extensive catalog of hundreds of financial applications it can target.
Its distribution relies on chains of fake webpages and installer applications. These programs impersonate legitimate services, employ packing tricks, and leverage social-engineering lures to evade static analysis. According to researchers at Cleafy, the first advertisements for the tool appeared in the autumn, and available indicators suggest that its creators originate from Eastern Europe.
Buyers receive a generator for assembling customized builds, along with support for a third-party encryption service called Golden Crypt, used to bypass security solutions. One documented campaign targeted Austria, where victims were lured to counterfeit Google Play pages distributing a fake app titled PENNY Angebote & Coupons. Upon launch, the app prompted users to authorize the installation of additional “updates,” which then delivered the primary payload.
Albiriox communicates over unencrypted TCP connections and enables remote device interaction via VNC, data extraction, blank-screen overlays, and volume manipulation to mask ongoing malicious activity. An additional VNC-based remote-access module is installed, which exploits Android accessibility services to bypass the FLAG_SECURE restriction and obtain full visibility into interfaces—even within apps that normally block screen recording.
The malware can also spoof the interfaces of well-known services or display counterfeit system dialogs, hiding its background operations. The distribution scheme involving the fake PENNY page includes the collection of Austrian phone numbers and their transmission to a Telegram bot.
Alongside these discoveries, another piece of malware—RadzaRat—has surfaced. Disguised as a legitimate file manager, it gains access to the file system after installation, exfiltrates data, captures keystrokes through accessibility services, and is controlled via Telegram. To maintain persistence, it leverages auto-start permissions, reboot-survival mechanisms, and battery-optimization bypasses. According to Certo’s Sofia Taylor, the tool is designed for users with no technical expertise, making it particularly appealing to criminal groups.
Meanwhile, researchers at D3Lab identified fraudulent Google Play pages for an app called GPT Trade, which distributed BTMOB-family malware and the UASecurity Miner module. BTMOB—first documented earlier this year—abuses accessibility services to unlock devices, intercept user input, and perform actions on the victim’s behalf.
Other observed campaigns involve distributing infected APK files masquerading as adult content. These operations employ multilayered infrastructures, obfuscation techniques, and dynamic checks to evade analysis, as reported by Unit 42 specialists.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
