CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new Android malware named Albiriox, operating under a malware-as-a-service (MaaS) model, targets over 400 applications for on-device fraud (ODF), screen manipulation, and real-time device interaction. The malware uses dropper applications distributed through social engineering lures and packing techniques to evade detection. It leverages a custom builder and a third-party crypting service to bypass antivirus and mobile security solutions. The primary goal is to seize control of mobile devices and conduct fraudulent actions while remaining undetected. The malware has been advertised on cybercrime forums, with evidence suggesting Russian-speaking threat actors. Initial campaigns have targeted Austrian victims using German-language lures and fake Google Play Store app listings. The malware's subscription access launched at $650 per month before rising to $720 after October 21.

Timeline

  1. 01.12.2025 10:45 2 articles · 1d ago

    Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud

    A new Android malware named Albiriox, operating under a malware-as-a-service (MaaS) model, targets over 400 applications for on-device fraud (ODF), screen manipulation, and real-time device interaction. The malware uses dropper applications distributed through social engineering lures and packing techniques to evade detection. It leverages a custom builder and a third-party crypting service to bypass antivirus and mobile security solutions. The primary goal is to seize control of mobile devices and conduct fraudulent actions while remaining undetected. The malware has been advertised on cybercrime forums, with evidence suggesting Russian-speaking threat actors. Initial campaigns have targeted Austrian victims using German-language lures and fake Google Play Store app listings. The malware's subscription access launched at $650 per month before rising to $720 after October 21.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

NFC Relay Malware Surge Targeting European Payment Cards

A surge of NFC relay malware targeting payment cards has been observed in Eastern Europe. Over 760 malicious Android apps have been identified, exploiting Host Card Emulation (HCE) to steal contactless credit card data. The malware captures EMV fields, manipulates APDU commands, and enables unauthorized payments. The malware has evolved into multiple variants, including data harvesters, relay toolkits, and ghost-tap payments. It has spread across Poland, the Czech Republic, Russia, and Slovakia. The apps impersonate Google Pay and various financial institutions, with over 70 command-and-control servers and Telegram bots facilitating the attacks.

Open in new tab

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries

The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab