Hackers are now targeting more than 400 financial applications worldwide, deploying a new strain of Android malware in a push to drain accounts.
The malware, named Albiriox, is a highly sophisticated remote-access trojan (RAT) designed to take full control of an infected device, enabling attackers to directly access and manipulate a user’s legitimate banking or crypto sessions, according to a new analysis from cybersecurity firm Cleafy.
Cleafy says Albiriox’s targets span a broad spectrum of financial platforms, including traditional banks, fintech apps, payment processors, crypto exchanges, mobile wallets, and trading platforms. Its wide reach signals a deliberate effort to compromise both mainstream financial users and those holding digital assets.
The malware spreads through fake apps that pretend to be real ones, like a phony “Penny Market” app from fake Google Play pages, which people reach via SMS links and must allow permissions to install before it drops the virus.
What makes Albiriox particularly dangerous is its alignment with On-Device Fraud (ODF), a rapidly expanding class of mobile malware that operates inside the victim’s authenticated session. Cleafy reports that the trojan uses a combination of VNC-based remote control, accessibility service abuse, targeted screen overlays, and dynamic credential harvesting.
Together, these capabilities allow attackers to bypass biometric checks, two-factor authentication, and other fraud-detection safeguards by behaving like the legitimate user.
Once the malware gains accessibility permissions, attackers can navigate the device in real time, initiate transfers, empty crypto wallets, or approve high-risk transactions without triggering typical security alerts. Because the activity originates from the victim’s own device, banks and exchanges may have difficulty detecting the fraud until after funds are stolen.
Cleafy concludes that Albiriox represents a significant shift in mobile cybercrime, with threat actors increasingly prioritizing ODF-focused malware capable of persistent, full-device compromise.
Moving forward, researchers warn that the financial sector and especially crypto users should expect more attacks that rely on real-time session hijacking rather than traditional phishing or credential theft.
Follow us on X, Facebook and Telegram
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Check Price Action
Surf The Daily Hodl Mix
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Generated Image: Midjourney
