Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign
Essential information
- Published
- 10/07/2026 00:16
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- accessibility abuse albiriox android banking trojan brand impersonation italy overlay attacks sms interception telegram delivery
- Related entities
- 9 indicators, 2 observables, 3 techniques (mitre), 1 malware
Description
A malicious campaign was detected impersonating an Italian banking brand through a fraudulent domain offering fake financial rewards for installing a mobile application. Users are redirected to a Telegram bot that distributes a malicious Android APK outside official app stores. The APK functions as a dropper containing an embedded second-stage payload identified as Albiriox, an Android banking Remote Access Trojan. This payload exploits Accessibility services, implements overlay attacks, intercepts SMS messages, captures credentials, and enables remote device control through a custom TCP-based command-and-control protocol. The infrastructure uses domain impersonation and social engineering with financial incentives to distribute the malware. Communication occurs via raw TCP sockets to endpoints on ports 5555 and 5552, with JSON messages framed using big-endian length prefixes. Attribution to Albiriox is supported by protocol similarities, behavioral patterns, and comparison with known Albiriox samples.