Security researchers reported the emergence of a new Android remote access trojan called Albiriox that is being offered under a malware‑as‑a‑service model and advertised to provide a “full spectrum” of features for on‑device fraud, screen manipulation and real‑time interaction with infected phones.
The malware contains a hard‑coded list of more than 400 target applications spanning banks, payments, cryptocurrency exchanges, digital wallets and trading platforms, and is distributed via social‑engineering droppers that use packing techniques to evade static detection, the researchers said. The authors initially ran a limited recruitment phase in late September 2025 before shifting to a commercial MaaS offering, and there is at least some evidence pointing to Russian‑language operators based on forum activity, linguistic patterns and infrastructure.
In one observed campaign aimed at Austrian victims, attackers used German‑language lures and SMS messages with shortened links that led to fake Google Play Store app pages for lookalike apps such as PENNY Angebote & Coupons. Users who clicked install were delivered a dropper APK that prompts for permissions framed as a software update, which then deploys the main malware.
Albiriox uses an unencrypted TCP socket for command‑and‑control and installs a VNC‑based remote access module to allow operators to interact with compromised devices, steal data, serve blank or black screens and manipulate audio levels to aid stealth. The malware abuses Android accessibility services to capture interface elements and bypass protections such as FLAG_SECURE, supports overlay attacks against targeted apps and seeks permissions and components such as RECEIVE_BOOT_COMPLETED, RECEIVE_LOCKED_BOOT_COMPLETED and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to achieve persistence.
Separately, a new Android RAT named RadzaRat has been observed posing as a legitimate file manager and offering remote file system access and surveillance capabilities; Certo researcher Sophia Taylor said the tool requires little technical skill to deploy. RadzaRat abuses accessibility services to log keystrokes, enables remote browsing and downloading of device files and uses Telegram for command‑and‑control, the researcher added.
The Albiriox disclosure coincides with other malicious Android campaigns that have used fake app landing pages to distribute malware such as BTMOB and persistence modules; fake “GPT Trade” pages have distributed BTMOB and related components, and researchers from Palo Alto Networks Unit 42 said operators are using multi‑stage, obfuscated lure sites and social engineering, including adult‑content lures, to deliver heavily obfuscated APKs.