Overview
- Cleafy documented the Albiriox malware, and reports published on December 4–5 detailed its capabilities and Malware‑as‑a‑Service availability.
- The trojan streams a victim’s screen and executes taps, swipes, and typing through an Accessibility-based RAT marketed as AcVNC or hVNC.
- Black‑screen masking and credential‑stealing overlays let operators operate inside banking apps and circumvent OTP‑based authentication.
- Initial distribution used fake Google Play listings, SMS lures, and WhatsApp or Telegram links that deliver APK droppers with a fake update interface.
- Code analysis shows more than 400 targeted banking and crypto apps worldwide, early campaigns focused on Austria, and listings advertised access at about $650 per month with defenders urging users to avoid sideloading and enable Play Protect.