Cybersecurity researchers at security firm Cleafy have issued a warning regarding a high risk malware campaign aimed at Android users via WhatsApp messages that could jeopardize users' cryptocurrency wallets and bank information. The researchers tracked the threat as Albiriox, a new emerging Android malware family being marketed as malware-as-a-service (MaaS) on underground cybercrime forums.
Modus operandi
The malware propagate through WhatsApp messages which include links to malicious websites that impersonate Google Play Store pages. Currently, they are impersonating a popular discount retail app, but this could quickly change both in terms of campaigns and targets. Rather than having the app delivered directly, victims are persuaded to submit their phone number, on the premise that an installation link will be sent to them on WhatsApp.
After users tap on and download the trojanised app, Albiriox is able to take full control of the compromised device. The malware overlays attacks on more than 400 cryptocurrency wallet and banking apps — displaying fake login screens on top of the legitimate apps to capture credentials as users input them.
Albiriox is an advanced, rapidly evolving malware. The malware also features Vnc-based remote access, which gives the attackers the ability to directly control the infected machines. Initially, campaigns were targeted at Austrian citizens with German-language messages, but is now broadening its reach.
The malware is obfuscated with JSONPacker and also it tricks users into allowing the "Install Unknown Apps" permission. When it is running, it contacts its command servers through unencrypted TCP and stays on the bot forever, maintaining active control through a regular series of ping-pong heartbeat messages.
Mitigation tips
Security experts emphasize that users should never agree to install apps through phone number submission on websites. Any WhatsApp messages requesting app installations should be immediately deleted without clicking links. This distribution method represents exactly why Google is strengthening measures against sideloading, requiring app developers to register and verify their identities.
Cleafy highlights that Albiriox demonstrates the ongoing evolution and increasing sophistication of mobile banking threats. However, users can protect themselves effectively by following several key practices: only install apps from the official Google Play Store, ensure Play Protect is activated, and remain skeptical of any unsolicited installation requests received through messaging apps.
The campaign highlights broader security concerns affecting WhatsApp and similar platforms, particularly as attackers combine social engineering with technical malware capabilities to compromise both devices and accounts.