New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

A new Android malware named Albiriox has been advertised as a malware-as-a-service (MaaS) platform, targeting over 400 financial applications to enable on-device fraud (ODF), screen manipulation, and remote device control. Researchers identified the threat through its use of social-engineered droppers and evasion techniques to bypass detection.

Why This Matters

Modern Android apps rely on security features like Android’s FLAG_SECURE to block screen recording and screenshots, but Albiriox circumvents these protections by leveraging accessibility services to stream UI elements in real time. This allows attackers to conduct fraud within legitimate user sessions without triggering alarms. With 400+ financial apps at risk, the potential for credential theft and data exfiltration scales to millions of users, costing organizations millions in fraud losses annually.

Key Insights

• “400+ financial apps targeted, 2025”: Cleafy researchers identified a hard-coded list of apps spanning banking, crypto, and payment platforms.
• “Accessibility services bypass FLAG_SECURE, 2025”: Albiriox uses Android’s accessibility APIs to bypass screen-capture protections, enabling remote VNC-based control.
• “RadzaRat used by Heron44, 2025”: A related MaaS tool impersonates a file manager to deliver surveillance and remote access capabilities.

Practical Applications

• Use Case: Financial apps compromised via fake Google Play listings for “PENNY Angebote & Coupons” to deploy droppers.
• Pitfall: Overlay attacks using FLAG_SECURE bypasses lead to undetected credential theft and session hijacking.

References:

• https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html