216.73.216.86

Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign

· Published 10/07/2026 00:16

Export JSON

Essential information

Published
10/07/2026 00:16
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
accessibility abuse albiriox android banking trojan brand impersonation italy overlay attacks sms interception telegram delivery
Related entities
9 indicators, 2 observables, 3 techniques (mitre), 1 malware

Description

A malicious campaign was detected impersonating an Italian banking brand through a fraudulent domain offering fake financial rewards for installing a mobile application. Users are redirected to a Telegram bot that distributes a malicious APK outside official app stores. The APK functions as a dropper containing an embedded second-stage payload identified as , an banking Remote Access Trojan. This payload exploits Accessibility services, implements , intercepts SMS messages, captures credentials, and enables remote device control through a custom TCP-based command-and-control protocol. The infrastructure uses domain impersonation and social engineering with financial incentives to distribute the malware. Communication occurs via raw TCP sockets to endpoints on ports 5555 and 5552, with JSON messages framed using big-endian length prefixes. Attribution to is supported by protocol similarities, behavioral patterns, and comparison with known samples.

External references