TL;DR
- Researchers have identified a new banking malware that replaces your actual banking app with a malicious one.
- It primarily spreads through APKs distributed via unmoderated channels such as messaging platforms.
- Once installed, the malware enables hackers to remotely control your device and hide their activities behind fake blank or update screens.
Just last week, we learned about a banking malware that exploits accessibility settings on Android to steal your bank credentials in the background. Now, we’re looking at another malware that not only enables remote attacks on Android devices but is distributed freely among hackers as part of a subscription service.
Researchers at Cleafy, an online fraud prevention firm, have discovered (via MalwareBytes) a new Android trojanware dubbed “Albiriox.” Just like Sturnus, which we learned about last week, Albiriox is distributed through infected or dummy APKs by luring potential targets into believing they are downloading actual apps. One of the ways that hackers use to achieve that is by creating fake replicas of Google Play Store listings, making users believe they are downloading apps from secure sources when they are actually not. Hackers also lure targets by posting fake promotions and offers, seeking contact details, and then delivering malicious APKs through messaging apps, such as WhatsApp and Telegram.
Fake Play Store listing.
As per the research firm, the technique is primarily deployed by threat actors based in Russia and neighboring regions. It has recently gained steam after being distributed as a Malware-as-a-Service (MaaS) on underground and dark web forums.
Don’t want to miss the best from Android Authority?
The APK files distributed by hackers are primarily used for one purpose, and that is to make the users enable the “Install unknown apps” permission on Android. Once that is achieved, the dropper app is used to install the actual destructive app, which contains Albiriox as the chief payload.
More than 400 fake apps targeting users across categories such as banking, fintech, digital payments, and cryptocurrency have already been intercepted by Cleafy. These tailored versions of apps allow hackers to perform transactions from users’ accounts directly instead of just stealing their login credentials.
Using Albiriox, hackers can use VNC-based methods to control victims’ devices remotely. They can then perform actions such as clicks, swipes, text entry, and even button clicks, all while concealing activity behind dummy blank screens or fake system update overlays.
Since the malware operates stealthily, you must be mindful of any unusual apps installed on your phone, especially when they seem related to banking or financial services. Always ensure downloading apps from the Google Play Store and remember to check for latest Play Protect updates on your phone.
Thank you for being part of our community. Read our Comment Policy before posting.
