- New Android MaaS “Albiriox” targets Austrian users’ banking and crypto apps
- Malware uses fake apps, dropper APKs, and 400+ overlays to steal sensitive data
- Researchers link the campaign to Russian actors; stolen information exfiltrated via Telegram
Android users are being targeted by a sophisticated new malware-as-a-service (MaaS), aiming to access their banking and crypto apps and ultimately steal their money and other valuables.
Recently, cybersecurity researchers Cleafy said they saw Android malware named Albiriox being advertised on the dark web.
The tool apparently offers a “full spectrum” of features, including full remote control of the target device and over 400 hard-coded overlays for different banking, fintech, crypto, and payment applications.
Fake software updates
The malware spoofs all sorts of businesses, including PENNY. The attackers would create a fake landing page and Google Play Store app listing pages, and ask victims to share their phone numbers. Those who do so will receive the download link of an .APK file in an SMS or WhatsApp message.
For now, Cleafy says, the scam only works on Austrian phone numbers, but suggests the attack can easily spread to other parts of the world.
The APK is not the malware itself, but rather a dropper.
“The malware exploits dropper applications distributed via social engineering lures, combined with compression techniques, to evade static detection and deliver its payload,” said Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti and Simone Mattia.
Once installed, the dropper asks for permissions and requests a “software update” which is nothing more than downloading the actual payload.
Using Albiriox, attackers can take over mobile devices entirely or use the malware as an information stealer, exfiltrating phone numbers, passwords and other sensitive information. All data is transferred to a Telegram channel, it was said.
Although attribution is difficult, this appears to be the work of a Russian threat actor. Cleafy says the attackers’ activity on cybercrime forums, the way they speak and the infrastructure they use all suggest their Russian origins.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
