Overview
- Cleafy researchers detailed the Albiriox malware family first seen in September 2025, with findings widely reported on December 4–5.
- The malware spreads through fake or infected APKs pushed via WhatsApp and Telegram and through spoofed Play Store entries, requiring users to allow installation from unknown sources.
- Albiriox can replace legitimate financial apps, provide VNC-style remote control, display credential-stealing overlays, and mask activity with a black screen to facilitate live fraud that can evade MFA and biometrics.
- The operation is offered as Malware-as-a-Service on underground markets, with tech reporting attributing much of the activity to Russian-linked actors, though attribution remains limited.
- Targets span banking, fintech, payment, and crypto services beyond an initial campaign in Austria, and experts urge using official app stores and Play Protect, keeping software updated, favoring app or hardware MFA, and running reputable mobile anti-malware.