New Android Malware ‘Albiriox’ Can Hijack Banking Apps Without OTP: What Users Must Know

A new and deeply worrying Android malware has been uncovered, and cybersecurity researchers warn it is capable of accessing banking apps and authorising transactions—without needing user credentials or OTP verification. The threat, known as Albiriox, has been quietly circulating through fake applications and cloned Play Store pages, according to a recent discovery by fraud-prevention firm Cleafy.

Cleafy’s researchers identified Albiriox after spotting suspicious patterns similar to previous Android banking trojans. Attackers are disguising malicious APK files as legitimate app installers and distributing them through fake websites, WhatsApp and Telegram messages, and misleading promotional links. These files often promise exclusive offers or special app versions, luring users into manually installing them.

What makes Albiriox especially dangerous is the way it behaves after infecting a device. Users are first prompted to enable the “install unknown apps” permission. Once granted, the seemingly harmless installer quietly deploys the actual trojan in the background. Unlike many earlier malware strains, Albiriox doesn’t attempt to steal passwords. Instead, it directly interacts with banking, digital payment, fintech, and cryptocurrency apps installed on the phone.

Android Authority reports that researchers have already flagged more than 400 fake apps linked to this operation, many of them targeting people seeking financial or banking services. After activation, the malware abuses Android’s accessibility services to execute transactions from within a user’s banking app—making it appear as though the real user is performing the action. This process allows the trojan to bypass login steps and even OTP requirements, with most victims unaware anything is wrong until funds have already been transferred.

Adding to the concern, investigators have revealed that Albiriox is being distributed through a Malware-as-a-Service (MaaS) model. This subscription-based system lets cybercriminals purchase, download, and deploy the trojan with minimal technical expertise. The model has gained momentum across Russia and neighbouring regions, where malicious APKs are aggressively pushed through messaging channels and underground forums.

With such threats becoming increasingly sophisticated and harder to detect, experts emphasise that users need to be extremely cautious about what they download onto their smartphones. Even a single fake banking app or discount-themed APK can open the door to a remote intrusion.

How to Stay Safe

Android users can significantly reduce their risk of infection by following these essential steps:

• Install apps only from the official Google Play Store and avoid downloading APKs sent through links, forwarded messages, or unknown websites.
• Keep “install unknown apps” disabled unless you’re completely certain about the source.
• Regularly scan your phone for unfamiliar or suspicious apps, especially any related to finance or banking.
• Ensure Google Play Protect is enabled and updated.
• Keep your device updated with the latest Android security patches, as monthly updates often fix vulnerabilities targeted by malware like Albiriox.

Staying alert and practicing safe installation habits remain the strongest defence against evolving mobile threats.