{
  "name": "Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign",
  "slug": "fake-banking-rewards-telegram-delivery-and-albiriox-anatomy-of-an-android-malware-campaign",
  "description": "A malicious campaign was detected impersonating an Italian banking brand through a fraudulent domain offering fake financial rewards for installing a mobile application. Users are redirected to a Telegram bot that distributes a malicious Android APK outside official app stores. The APK functions as a dropper containing an embedded second-stage payload identified as Albiriox, an Android banking Remote Access Trojan. This payload exploits Accessibility services, implements overlay attacks, intercepts SMS messages, captures credentials, and enables remote device control through a custom TCP-based command-and-control protocol. The infrastructure uses domain impersonation and social engineering with financial incentives to distribute the malware. Communication occurs via raw TCP sockets to endpoints on ports 5555 and 5552, with JSON messages framed using big-endian length prefixes. Attribution to Albiriox is supported by protocol similarities, behavioral patterns, and comparison with known Albiriox samples.",
  "published": "2026-07-09T22:16:05.656000+00:00",
  "created_at": "2026-07-10T07:36:42.382000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-10T07:36:42.382000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "accessibility abuse",
    "albiriox",
    "android",
    "banking trojan",
    "brand impersonation",
    "italy",
    "overlay attacks",
    "sms interception",
    "telegram delivery"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "e24ba6fa-cca6-4540-afc0-d86649098116",
        "name": "fb43c4191c40f159167a98a4ac20bf23ae66a8ec27a919f703e953933e22a266"
      },
      {
        "id": "1f47894f-dfb5-45f2-805b-9d0a2f2c4798",
        "name": "146c62f408b6d7db4c832a6b5f7bdacb1cff2c69121b9b2f7e80646c37910abd"
      },
      {
        "id": "b93667be-a944-4ce1-968f-64e50fc4253f",
        "name": "http://unicredit-tme.shop/"
      },
      {
        "id": "c42014ca-fc51-4316-8206-a4b2734eb1ff",
        "name": "1e99972b1d84b131eb55a6b49f64871c5c0c6a1bb2a099a84313001b69dc53e8"
      },
      {
        "id": "954c7910-942a-4791-a4d5-c8e82aaeb903",
        "name": "unicredit-tme.shop"
      },
      {
        "id": "c657f7e7-f538-43d4-9d84-4cde8b94ce1f",
        "name": "4b9a95ebf5e471d11443fa2f19b75595fc1fcf6be234024cc1d4a2255068c19b"
      },
      {
        "id": "34535b0a-b935-4eba-8608-dde8069be4a7",
        "name": "206fdbe992b44ebd6720c49c79a5da3bdcb48d0d799a0ff3458323caac3cc490"
      },
      {
        "id": "7930aa40-b7bd-4012-ad08-a4c4fbbd809b",
        "name": "efc81267da3ad48cc779e9aed8f9232504ed7c85abf3958a87ba2ae68056ae23"
      },
      {
        "id": "b0de4fa0-cb12-47b5-a0ef-a71d23f162e8",
        "name": "e0fc365c042e708c8d04b5431238958586194cc4a8cbe069411a26dcfcc4e9b6"
      }
    ],
    "attack_patterns": [
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1",
        "name": "T1608"
      }
    ],
    "malware": [
      {
        "id": "dfe61280-fe3f-4d1e-9f7a-12701615baa7",
        "name": "Albiriox",
        "slug": "albiriox"
      }
    ],
    "observables": [
      {
        "id": "25d07ccc-f71e-4fab-a2fc-08063e2d1d5b",
        "name": "unicredit-tme.shop"
      },
      {
        "id": "e049fb33-c842-42b9-8d7c-d3a67fbbfe67",
        "name": "http://unicredit-tme.shop/"
      }
    ]
  },
  "external_refs": [
    {
      "id": "f20be6dc-8c7e-45e0-b45e-afdbc44385b4",
      "standard_id": "external-reference--8c0848c1-66b1-5743-b0ac-9ebb0bdde3eb",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.d3lab.net/fake-banking-rewards-telegram-delivery-and-albiriox-anatomy-of-an-android-malware-campaign/",
      "hash": null,
      "external_id": null,
      "created": "2026-07-10T07:36:42.329Z",
      "modified": "2026-07-10T07:36:42.329Z",
      "createdById": null
    },
    {
      "id": "7246adeb-44f3-41ff-86c1-0b813ff1b38c",
      "standard_id": "external-reference--be2c6df7-d627-5a52-abd9-f108ac6a7773",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a501da5e79e415cb0ec861e",
      "hash": null,
      "external_id": "6a501da5e79e415cb0ec861e",
      "created": "2026-07-10T07:36:42.302Z",
      "modified": "2026-07-10T07:36:42.302Z",
      "createdById": null
    }
  ]
}