Researchers at cybersecurity firm NSYS Group have identified a new remote access trojan (RAT) for Android named Albiriox. The malware is attributed to Russian-speaking cybercriminals and is designed to steal sensitive information from infected devices. The primary targets of this malware campaign appear to be Russian users of popular banking applications.

The developer, known by the alias ‘Albiriox’, has been active since at least 2018 and is also credited with creating a Windows-based RAT. Evidence linking the malware to Russian origins includes the use of the Russian language in the command-and-control (C&C) panel and on the developer’s Telegram account.

Distribution and Infection Method

The Albiriox malware is primarily distributed through fake websites that impersonate the official pages for popular applications. These counterfeit sites have been observed mimicking services for VPNs and Russian banking applications, including Sberbank and Tinkoff. Users are tricked into downloading and installing a malicious APK file from these pages. Once installed, the malware requests extensive permissions, specifically targeting Android’s accessibility services, which allows it to perform actions on behalf of the user.

Malware Capabilities and Data Exfiltration

Albiriox possesses a wide range of data-stealing functions. Its confirmed capabilities include keylogging to capture all typed information, screen recording, and the theft of two-factor authentication (2FA) codes directly from authenticator applications. The RAT can also intercept SMS messages, access contact lists, steal files from the device’s storage, and bypass screen lock protections like fingerprints and PINs. All stolen information is exfiltrated to a C&C server operated by the attackers.

Source: https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/