- New Android MaaS “Albiriox” Targets Austrian Users’ Banking and Crypto Apps
- Malware uses fake apps, drop APKs and 400+ overlays to steal sensitive data
- Researchers link campaign to Russian actors; stolen information exfiltrated via Telegram
Android users are being targeted by a new sophisticated malware-as-a-service (MaaS) that aims to gain access to their banking and crypto apps and ultimately steal their money and other valuables.
Recently, cybersecurity researchers told Cleafy that they saw Android malware named Albiriox being advertised on the dark web.
The tool apparently offers a “full spectrum” of features, including complete remote control of the target device and more than 400 hard-coded overlays for various banking, fintech, crypto and payment apps.
Fake software updates
The malware spoofs all kinds of companies, including PENNY. The attackers would create a fake landing page and Google Play Store app listing pages and would ask victims to share their phone numbers. Those who do will receive the download link for an .APK file in an SMS or WhatsApp message.
For now, Cleafy says, the scam only works on Austrian phone numbers, but suggests the attack could easily spread to other parts of the world.
The APK is not the malware itself, but rather a dropper.
“The malware exploits dropper applications distributed through social engineering decoys, combined with packaging techniques, to avoid static detection and deliver its payload,” said Cleafy researchers Federico Valentini, Alessandro Strino, Gianluca Scotti and Simone Mattia.
Once installed, the dropper asks for permissions and asks for a “software update”, which is nothing more than downloading the actual payload.
Through Albiriox, the attackers can take over the mobile devices completely, or they can use the malware as an info stealer, exfiltrating phone numbers, passwords and other sensitive information. All data is being pulled into a Telegram channel, it was said.
Although attribution is difficult, it appears to be the work of a Russian threat actor. Cleafy says the attackers’ activity on cybercrime forums, the way they speak and the infrastructure they use all point to their Russian origins.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
