Cybersecurity experts are sounding the alarm over two sophisticated new strains of Android mobile malware, Albiriox and RadzaRat, both offered under a Malware-as-a-Service (MaaS) business model. These tools dramatically lower the bar for criminals, giving them full remote control and data theft capabilities to execute on-device fraud (ODF) against millions of unsuspecting mobile users.

Albiriox: The Banking Trojan That Sees Everything

Albiriox is a highly potent new banking trojan that has been built to offer a “complete package” of features for cybercriminals looking to commit fraud and manipulate infected devices in real-time.

This malware comes pre-loaded with a hidden hit list of over 400 financial applications. This list spans nearly every major sector, including traditional banks, crypto exchanges, digital wallets, payment services, and trading platforms.

The Attack Chain: Deception and Evasion

According to researchers at Cleafy, the threat actors use social engineering to trick victims into installing “dropper” applications. These droppers are heavily packaged and disguised, allowing them to slip past common antivirus checks before they deploy the main malware payload.

Albiriox was first promoted in a private recruitment phase in late September 2025 before being fully launched as a MaaS product a month later. Evidence suggests the masterminds behind it are Russian-speaking, given their presence and language use on various underground cybercrime forums.

To attract customers, the malware’s developers provide access to a dedicated tool that integrates with a service called Golden Crypt, which allegedly helps the final malware package bypass most mobile security and antivirus defenses.

The ultimate goal is straightforward: seize complete control of the mobile device to execute fraudulent transactions and theft in a way that avoids detection. One initial campaign specifically targeted users in Austria, using German-language texts and social media posts. These messages contained shortened links that led victims to fake versions of the Google Play Store, mimicking popular apps like “PENNY Angebote & Coupons.”

If an unsuspecting user attempts to “install” the app from the fake page, a malicious installer package (APK) is downloaded. Once launched, the app immediately asks the user to grant it permission to install other apps, claiming it’s a necessary “software update.” This grants the final permission needed to install the core Albiriox malware.

Remote Control and Anti-Detection Tactics

Albiriox establishes an unencrypted connection for its Command-and-Control (C2) center, allowing the criminals to issue a wide range of commands. They can remotely control the device using Virtual Network Computing (VNC), steal sensitive data, flash a black or blank screen for stealth, and even adjust the device volume to keep their activities secret.

Crucially, it installs a VNC-based remote access module that allows the attackers to interact with the phone as if it were in their hands. To get around modern banking security measures—like the FLAG_SECURE protection that prevents screen recording or screenshots—Albiriox uses Android’s accessibility services. This allows the malware to stream a complete, detailed view of the device interface without triggering any screen-capture defenses, giving the criminals a crystal-clear view of the victim’s every action.

Like other notorious banking malware, Albiriox uses overlay attacks—serving fake login screens over legitimate apps—to steal credentials. It can also display full-screen overlays mimicking a system update or a simple black screen, providing the attackers time to operate in the background without the victim noticing.

Cleafy also documented a slightly altered lure where victims were redirected to a fake website that pretended to be a specific retailer. On this site, users were asked to enter their Austrian phone numbers to receive a download link via WhatsApp. The entered numbers were immediately sent to a private Telegram bot, showing a clear data harvesting component.

RadzaRat: The New Face of Remote Spying

The emergence of Albiriox coincides with another dangerous MaaS tool called RadzaRat. This new Remote Access Trojan (RAT) disguises itself as a legitimate file management application.

First advertised in November 2025 by a developer known as “Heron44,” RadzaRat is marketed as an easy-to-use remote access solution that requires minimal technical skill to deploy. According to Certo researcher Sophia Taylor, this tool represents a concerning trend: the “democratization of cybercrime tools,” making powerful attacks accessible to anyone.

RadzaRat’s core functionality is remote control over the device’s file system. This allows criminals to search directories, browse files, and download any data they want from the compromised phone. Like Albiriox, it abuses accessibility services to log all user keystrokes and uses Telegram for its C2 communications.

To ensure it can never be easily removed, RadzaRat achieves persistence. It uses specific permissions to ensure it relaunches automatically every time the device restarts. It also requests to be exempted from Android’s battery optimization features, ensuring its spying and C2 activities can run uninterrupted in the background.

A Broader Landscape of Mobile Threats

These new threats are part of a wider, growing landscape of Android malware. Experts have also noted attacks distributing the BTMOB malware, which abuses accessibility services to unlock devices, log keystrokes, automate credential theft, and enable remote control. These campaigns often use fake Google Play Store pages for apps like “GPT Trade.”

Other sophisticated networks are using adult content as lures to distribute heavily obscured malicious APK files that request permissions for phishing, screen capture, and file system manipulation.

The methods used by these groups are highly sophisticated, relying on multi-stage architecture with highly obscured front-end lure sites that dynamically connect to a hidden backend. These front-end sites use timing checks and complex code to evade security analysis, illustrating the high degree of sophistication now common in mobile malware.

These findings highlight that mobile device security is critical, and users must be extremely cautious about the apps they install and the permissions they grant.