- New Android MaaS “Albiriox” Targets Austrian Users’ Banking and Crypto Apps
- Malware uses fake apps, dropper APKs, and 400+ overlays to steal sensitive data
- Investigators link campaign to Russian actors; Stolen information exfiltrated via Telegram.
Android users are being attacked by sophisticated new Malware as a Service (MaaS), which aims to gain access to their banking and crypto apps and ultimately steal their money and other valuables.
Recently, cybersecurity researchers Cleafy said they saw Android malware called Albiriox advertised on the dark web.
The tool apparently offers a “full spectrum” of features, including full remote control of the target device and over 400 coded overlays for different banking, fintech, crypto and payment applications.
Fake software updates
Malware is spoofing all types of companies, including PENNY. The attackers would create a fake landing page and Google Play Store app listing pages, and ask victims to share their phone numbers. Those who do so will receive the download link for an .APK file in an SMS or WhatsApp message.
For now, Cleafy says, the scam only works on Austrian phone numbers, but he hints that the attack could easily spread to other parts of the world.
The APK is not the malware itself, but rather a dropper.
“The malware takes advantage of dropper applications distributed through social engineering honeypots, combined with bundling techniques, to evade static detection and deliver its payload,” said Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti and Simone Mattia.
When installed, the dropper requests permissions and requests a “software update”, which is nothing more than downloading the actual payload.
Through Albiriox, attackers can take over mobile devices entirely or can use malware as an information stealer, extracting phone numbers, passwords and other sensitive information. It was said that all data is transferred to a Telegram channel.
Although attribution is difficult, this appears to be the work of a Russian threat actor. Cleafy says the attackers’ activity on cybercrime forums, the way they speak and the infrastructure they use suggest their Russian origins.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
