Overview
- A Cleafy analysis details Albiriox as a subscription malware‑as‑a‑service that targets more than 400 banking, fintech, payment, wallet, and trading apps worldwide.
- Researchers observed dual VNC modes, including an accessibility‑driven stream that bypasses FLAG_SECURE protections, plus overlays and black‑screen masking to hide attacker activity.
- Early campaigns used German‑language SMS lures against Austrian users with fake Google Play pages for a Penny Market app, later shifting to WhatsApp delivery links that only accepted Austrian phone numbers and exfiltrated data to a Telegram bot.
- The malware communicates over unencrypted TCP using JSON messages, sends device identifiers during a startup handshake, and supports extensive commands for UI automation, app management, and stealth controls.
- First seen in a closed beta in September before a public launch in October, Albiriox is sold with a custom builder advertised to work with Golden Crypt, while parallel offerings like RadzaRat and BTMOB signal broader commoditization of mobile remote‑control fraud tools.