- New Android MaaS “Albiriox” targets Austrian users’ banking and crypto apps
- Malware uses fake apps, dropper APKs, and 400+ overlays to steal sensitive data
- Researchers link campaign to Russian actors; stolen info exfiltrated via Telegram
Android users are being targeted by a new, sophisticated malware-as-a-service (MaaS), aimed at gaining access to their banking and crypto apps and, ultimately, stealing their money and other valuables.
Recently, cybersecurity researchers Cleafy said they saw Android malware named Albiriox being advertised on the dark web.
The tool is apparently offering a “full spectrum” of features, including complete remote control of the target device, and more than 400 hardcoded overlays for different banking, fintech, crypto, and payment apps.
Fake software updates
The malware is spoofing all kinds of businesses, including PENNY. The attackers would create a fake landing page and Google Play Store app listings pages, and would ask the victims to share their phone numbers. Those that do would get the download link for an .APK file in an SMS or WhatsApp message.
For now, Cleafy says, the scam works only on Austrian phone numbers, but hints that the attack can easily spread to other parts of the world.
The APK is not the malware itself, but rather a dropper.
"The malware leverages dropper applications distributed through social engineering lures, combined with packing techniques, to evade static detection and deliver its payload," Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti, and Simone Mattia said.
When installed, the dropper prompts for permissions and asks for a “software update” which is nothing more than the download of the actual payload.
Through Albiriox, the attackers can take over the mobile devices entirely, or they can use the malware as an infostealer, exfiltrating phone numbers, passwords, and other sensitive information. All data is being pulled to a Telegram channel, it was said.
Although attribution is difficult, this seems to be the work of a Russian threat actor. Cleafy says the attackers’ activity on cybercrime forums, the way they speak, and the infrastructure they use, all suggests their Russian origins.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
