New Android MaaS Threats: Albiriox, RadzaRat, and BTMOB

December 1, 2025 Faeem BLOGS 0

The mobile threat landscape is rapidly evolving with malware-as-a-service (MaaS) offerings that democratize access to advanced fraud and surveillance tools.

Albiriox

  • Model: Malware-as-a-service, advertised since late Sept 2025.
  • Targets: Hard-coded list of 400+ apps (banking, fintech, crypto, wallets, trading).
  • Distribution:
    • Fake Google Play pages (e.g., PENNY Angebote & Coupons).
    • SMS lures with shortened links.
    • Dropper APKs disguised as updates.
  • Capabilities:
    • On-device fraud (ODF): operates inside legitimate user sessions.
    • VNC-based remote control: unencrypted TCP socket for C2.
    • Accessibility abuse: bypasses Android’s FLAG_SECURE to capture protected banking/crypto screens.
    • Overlay attacks: mimics system updates or black screens to steal credentials unnoticed.
    • Exfiltration: phone numbers harvested via fake PENNY site → sent to Telegram bot.
  • Regional focus: Initial campaigns aimed at Austria with German-language lures.
  • Developer ecosystem: integrates with Golden Crypt service to evade AV/mobile security.

RadzaRat

  • Disguise: Legitimate-looking file manager utility.
  • Developer alias: Heron44.
  • Capabilities:
    • Remote file system browsing, search, and download.
    • Accessibility abuse for keystroke logging.
    • Telegram-based C2.
    • Persistence via RECEIVE_BOOT_COMPLETED, REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
  • Threat: Accessible to low-skilled actors, lowering barrier to entry for surveillance and fraud.

BTMOB + UASecurity Miner

  • Distribution: Fake Google Play landing pages (e.g., “GPT Trade”).
  • Capabilities:
    • Accessibility abuse to unlock devices.
    • Keystroke logging.
    • Credential theft via injections.
    • Remote control.
  • Persistence: UASecurity Miner module ensures long-term presence.
  • Lures: Adult-content themed sites with multi-stage obfuscation and dynamic backend connections.

Risks

  • Financial fraud: Direct manipulation of banking/crypto apps.
  • Credential theft: Overlay attacks and accessibility-driven harvesting.
  • Surveillance: Full device control, keystroke logging, file exfiltration.
  • Persistence: Boot receivers and battery optimization bypass keep malware active.
  • Democratization of cybercrime: MaaS lowers technical barriers, enabling more actors to launch sophisticated attacks.

Defensive Measures

  • For individuals:
    • Avoid installing apps outside Google Play.
    • Verify app publishers and permissions requested.
    • Enable Play Protect and keep OS updated.
    • Be wary of SMS links and fake update prompts.
    • Use MFA and passkeys for banking/crypto apps.
  • For organizations:
    • Monitor for accessibility abuse and overlay activity.
    • Detect unencrypted TCP socket traffic to suspicious C2 endpoints.
    • Block known Telegram bot infrastructure used for exfiltration.
    • Educate users about fake app stores and SMS lures.
    • Enforce mobile device management (MDM) policies to restrict sideloading.

Takeaway

Albiriox, RadzaRat, and BTMOB exemplify the next generation of Android MaaS malware: modular, persistent, and designed to bypass fraud detection by operating inside legitimate sessions. The combination of accessibility abuse, overlays, and VNC remote control makes them especially dangerous for financial and enterprise environments.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.