Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks

News
By published

A new MaaS is circulating around the dark web

Man looking at smartphone
Behöver du en VPN till din Android? (Image credit: Shutterstock)
  • New Android MaaS “Albiriox” targets Austrian users’ banking and crypto apps
  • Malware uses fake apps, dropper APKs, and 400+ overlays to steal sensitive data
  • Researchers link campaign to Russian actors; stolen info exfiltrated via Telegram

Android users are being targeted by a new, sophisticated malware-as-a-service (MaaS), aimed at gaining access to their banking and crypto apps and, ultimately, stealing their money and other valuables.

Recently, cybersecurity researchers Cleafy said they saw Android malware named Albiriox being advertised on the dark web.

The tool is apparently offering a “full spectrum” of features, including complete remote control of the target device, and more than 400 hardcoded overlays for different banking, fintech, crypto, and payment apps.

Fake software updates

The malware is spoofing all kinds of businesses, including PENNY. The attackers would create a fake landing page and Google Play Store app listings pages, and would ask the victims to share their phone numbers. Those that do would get the download link for an .APK file in an SMS or WhatsApp message.

For now, Cleafy says, the scam works only on Austrian phone numbers, but hints that the attack can easily spread to other parts of the world.

The APK is not the malware itself, but rather a dropper.

"The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload," Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.

When installed, the dropper prompts for permissions and asks for a “software update” which is nothing more than the download of the actual payload.

Through Albiriox, the attackers can take over the mobile devices entirely, or they can use the malware as an infostealer, exfiltrating phone numbers, passwords, and other sensitive information. All data is being pulled to a Telegram channel, it was said.

Although attribution is difficult, this seems to be the work of a Russian threat actor. Cleafy says the attackers’ activity on cybercrime forums, the way they speak, and the infrastructure they use, all suggests their Russian origins.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.