Hackers are now targeting more than 400 financial apps around the world, deploying a new strain of Android malware in a bid to empty accounts.
The malware, called Albiriox, is a highly sophisticated remote access Trojan (RAT) designed to take full control of an infected device, allowing attackers to directly access and manipulate a user’s legitimate banking or crypto sessions, according to a new analysis from cybersecurity firm Cleafy.
Cleafy says Albiriox’s goals span a broad spectrum of financial platforms, including traditional banks, fintech applications, payment processors, crypto exchanges, mobile wallets, and trading platforms. Its broad reach indicates a deliberate effort to engage both mainstream financial users and digital asset holders.
The malware spreads through fake apps that pretend to be real, such as a fake “Penny Market” app from fake Google Play pages, which people access via SMS links and must grant permissions to install before it removes the virus.
What makes Albiriox particularly dangerous is its alignment with on-device fraud (ODF), a rapidly expanding class of mobile malware that operates within the victim’s authenticated session. Cleafy reports that the Trojan uses a combination of VNC-based remote control, abuse of accessibility services, specific screen overlays, and dynamic credential harvesting.
Together, these capabilities allow attackers to bypass biometric controls, two-factor authentication, and other fraud detection safeguards by behaving as the legitimate user.
Once the malware gains accessibility permissions, attackers can browse the device in real time, initiate transfers, empty crypto wallets, or approve high-risk transactions without triggering typical security alerts. Because the activity originates on the victim’s own device, banks and exchanges may have difficulty detecting the fraud until after the funds are stolen.
Cleafy concludes that Albiriox represents a significant shift in mobile cybercrime, with threat actors increasingly prioritizing ODF-focused malware capable of persistently compromising the entire device.
In the future, the researchers warn that the financial sector and especially cryptocurrency users should expect more attacks that rely on real-time session hijacking rather than traditional phishing or credential theft.
Follow us on X, Facebook and Telegram
Don’t miss a thing – sign up to receive email alerts directly to your inbox
Check price action
Surf Hodl’s Daily Mix
 
Disclaimer: The opinions expressed on The Daily Hodl are not investment advice. Investors should do their due diligence before making high-risk investments in Bitcoin, cryptocurrencies, or digital assets. Please note that your transfers and trading are at your own risk and any losses you may incur are your responsibility. The Daily Hodl does not recommend the purchase or sale of cryptocurrencies or digital assets, nor is it an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Image generated: Halfway through the trip