Albiriox

Albiriox is an Android banking trojan and remote-access malware family sold as a malware-as-a-service (MaaS) offering on Russian-speaking cybercrime forums. Reporting indicates it entered a private beta in September 2025 and became publicly offered in October 2025, with evidence suggesting Russian-speaking operators. It is designed for on-device fraud (ODF), giving attackers real-time control of infected Android devices so fraudulent actions can be performed directly inside victims’ legitimate banking, fintech, payment, trading, wallet, and cryptocurrency applications.

Observed capabilities include VNC-based remote control, including an Accessibility-based mode referred to as AcVNC/AC VNC, screen streaming, UI automation, screen manipulation, and overlay attacks for credential theft. The Accessibility-based remote-control mode is described as bypassing Android FLAG_SECURE protections used by many banking and crypto apps to block screen capture. Reported command functionality includes click/swipe/text input, app launch and uninstall, black-screen or blank-screen concealment, live keylogging-related controls, and device-control actions. Albiriox communicates with command-and-control infrastructure over unencrypted TCP sockets using structured JSON messages, including an initial handshake with device identifiers such as HWID, model, and Android version, plus ping/pong heartbeats.

The malware has a hardcoded target list of more than 400 applications worldwide, including banks, fintech services, payment processors, cryptocurrency exchanges, digital wallets, and trading platforms. Multiple reports state early campaigns targeted Austrian users using German-language lures. A documented infection chain used fake Penny Market-themed apps and fake Google Play-style pages, with delivery via SMS/smishing, WhatsApp-based lure flows, and sideloaded fake applications. The dropper used social engineering such as a bogus System Update screen to obtain the Install Unknown Apps permission and then install the final payload. Researchers also reported use of JSONPacker obfuscation and a custom builder integrated with the Golden Crypt/Golden Encryption crypting service to improve stealth and evade static detection.

High-confidence infrastructure and operational details directly tied to Albiriox in the provided content include the domain com-selfhelp[.]page and primary server 45.154.98[.]13, which hosted a Flask-based operator panel on port 8443 and a Go-based implant listener on port 443. Exposed panel assets indicated capabilities including hidden VNC, keylogging, credential theft, clipboard monitoring, CAPTCHA harvesting, cloud-storage exfiltration, remote shell access, and payload building. Additional referenced observables include subdomains such as c2.com-selfhelp[.]page, admin.com-selfhelp[.]page, ftp.com-selfhelp[.]page, and staging.com-selfhelp[.]page, the secondary IP 172.86.111[.]19, and a linked sample SHA256 3975fce3783a3b8a4780d70e7d8d9588825cf92cba92128a16f86bec50890b99. Overall, the provided reporting consistently characterizes Albiriox as a rapidly evolving Android ODF threat focused on financial and cryptocurrency fraud through full device takeover, remote interaction, and credential theft.