Albiriox¶
Albiriox is an Android banking trojan sold as Malware-as-a-Service (MaaS), discovered by Cleafy in December 2025. Publicly offered since October 2025 at $650-720 per month, Albiriox targets over 400 applications spanning banking, cryptocurrency, fintech, wallet, trading, payments, investment, and gaming categories. The malware provides On-Device Fraud (ODF) capability through VNC remote control and uses a loader/dropper architecture with obfuscation and crypting services. Notably, its C2 communication uses unencrypted TCP, a simplistic choice relative to the sophistication of its other capabilities.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | September 2025 |
| Status | Active, public MaaS offering since October 2025 |
| Type | Banking trojan, MaaS, RAT |
| Attribution | Unknown |
| Pricing | $650-720/month |
| Target Apps | 400+ (banking, crypto, fintech, wallet, trading, payments, investment, gaming) |
Origin and Lineage¶
Cleafy's analysis identifies Albiriox as a new entrant in the Android MaaS ecosystem. First observed in the wild in September 2025, it was publicly advertised as a MaaS offering from October 2025 onward. No direct code lineage to existing banking trojan families has been established.
Albiriox enters a crowded MaaS market alongside established players like Octo, Hook, and Medusa. Its pricing at $650-720/month positions it as a budget-friendly alternative compared to Hook's former $7,000/month rental price, making it accessible to lower-tier threat actors. The wide target list of 400+ applications and the inclusion of obfuscation/crypting services suggest the operators are aiming for broad market appeal rather than specialization.
Distribution¶
| Vector | Details |
|---|---|
| Loader/dropper | Multi-stage architecture separating delivery from payload |
| Obfuscation services | Crypting services offered alongside the MaaS subscription |
Cleafy documented that Albiriox uses a loader/dropper architecture. The dropper handles initial installation and evasion, then downloads and installs the actual malicious payload. The MaaS operation includes obfuscation and crypting services, meaning operators provide their affiliates with tools to evade detection rather than leaving this to the buyer.
This bundled approach lowers the technical barrier for affiliates: subscribers receive not just the malware but the infrastructure and tooling needed to deploy it effectively.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| VNC remote control | On-Device Fraud through real-time remote access |
| Black/blank screen | Hides remote operations from the victim |
| Volume control | Mutes device audio during fraud to prevent alerting the victim |
| Overlay injection | Phishing overlays targeting 400+ applications |
| Loader/dropper | Multi-stage deployment with obfuscation |
| Crypting services | Detection evasion tooling provided to affiliates |
On-Device Fraud (ODF)¶
Albiriox provides ODF capability through VNC-based remote control, allowing operators to:
- View the device screen in real-time via VNC
- Navigate banking and financial apps as the legitimate user
- Initiate and approve transactions from the compromised device
- Display a black or blank screen to hide the remote session from the victim
- Control device volume to suppress notification sounds during fraud
The black screen and volume control are specifically designed for fraud concealment. When an operator takes control, the victim sees a blank screen and hears nothing, making the device appear powered off or idle. This technique is shared with other ODF-capable families like Octo and Hook.
Target Application Coverage¶
With over 400 targeted applications, Albiriox covers a broad range of financial services:
| Category | Examples |
|---|---|
| Banking | Traditional banking apps across multiple regions |
| Cryptocurrency | Crypto exchange and wallet apps |
| Fintech | Digital banking and neobank apps |
| Wallet | Payment wallet applications |
| Trading | Stock and forex trading platforms |
| Payments | Payment processing apps |
| Investment | Investment and portfolio management apps |
| Gaming | Gaming platforms with financial components |
The inclusion of gaming alongside traditional financial targets reflects a growing trend in mobile malware targeting any application that stores monetary value or payment methods.
Technical Details¶
C2 Communication¶
| Component | Details |
|---|---|
| Protocol | TCP (unencrypted) |
| Encryption | None |
| Transport | Raw TCP connections to C2 server |
Cleafy's analysis revealed that Albiriox communicates with its C2 infrastructure over unencrypted TCP. This is a notable weakness:
- Network-level monitoring can intercept and read all C2 traffic in plaintext
- Security researchers can analyze command-and-control protocols through simple packet capture
- Enterprise network detection tools can easily identify and block the traffic
- Contrast this with families like Octo2, which uses per-request dynamic AES encryption, or FluBot, which evolved to DNS tunneling over HTTPS
The lack of encryption may reflect rapid development prioritizing feature completeness over operational security, or an intentional choice to minimize complexity in the early stages of the MaaS operation.
Loader/Dropper Architecture¶
Albiriox uses a multi-stage deployment model:
- Dropper: The initial application installed on the device, appearing benign to evade detection
- Loader: Downloads and installs the actual malicious payload after the dropper establishes persistence
- Payload: The full banking trojan with VNC, overlay injection, and fraud capabilities
The MaaS operation provides obfuscation and crypting services that process the dropper before distribution, modifying its signature to evade antivirus detection. This service model means affiliates do not need their own crypting infrastructure.
MaaS Infrastructure¶
As a full MaaS operation, Albiriox provides subscribers with:
- Builder: Generates customized APKs with affiliate-specific C2 configuration
- Panel: Web interface for managing bots, monitoring infected devices, and executing fraud
- VNC client: Real-time device access for on-device fraud
- Crypting/obfuscation: Detection evasion services bundled with the subscription
- Target list: Pre-built overlay kits covering 400+ applications
Target Regions¶
Albiriox targets a global audience through its MaaS model. With 400+ targeted applications spanning multiple financial categories and regions, the specific geographic focus depends on individual affiliates and the applications they choose to target. Cleafy's report documents the global scope of the target list, covering banking, crypto, fintech, and wallet applications across multiple countries.
Notable Campaigns¶
September 2025: First Albiriox samples observed in the wild, marking the beginning of active development and testing.
October 2025: Albiriox is publicly offered as a MaaS product at $650-720/month, entering the competitive Android banking trojan market.
December 2025: Cleafy publishes their analysis of Albiriox, documenting its VNC-based ODF capability, 400+ target applications, unencrypted TCP C2 communication, and loader/dropper architecture with bundled crypting services.
Related Families¶
Albiriox competes directly with established MaaS operations in the Android banking trojan space. Octo offers MediaProjection-based screen streaming with DGA C2 resolution. Hook provides VNC and ATS capabilities, though its source code leak in 2023 fragmented the ecosystem. Medusa combines keylogging with screen streaming across multiple affiliate groups.
Albiriox's $650-720/month pricing significantly undercuts the historical prices of these established families (Hook at $7,000/month pre-leak, Octo at premium MaaS pricing). This aggressive pricing strategy, combined with the broad 400+ app target list and bundled crypting services, positions Albiriox as an accessible entry point for lower-budget threat actors seeking ODF capability.
The use of unencrypted TCP for C2 communication places Albiriox at the lower end of technical sophistication for C2 protocols compared to its competitors. Whether this represents a temporary shortcut during early development or a persistent architectural decision will become clear as the family matures.