Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign

0
Medium
Published: 07/09/2026 (07/09/2026, 22:16:05 UTC)
Source: AlienVault OTX General

Description

This threat involves a malicious campaign impersonating an Italian banking brand to lure users with fake financial rewards. Victims are redirected to a Telegram bot that distributes a malicious Android APK outside official app stores. The APK acts as a dropper for a second-stage payload known as Albiriox, an Android banking Remote Access Trojan. Albiriox abuses Accessibility services, performs overlay attacks, intercepts SMS messages, captures credentials, and enables remote control via a custom TCP command-and-control protocol. The campaign uses domain impersonation and social engineering with financial incentives to spread the malware. Communication occurs over raw TCP sockets on ports 5555 and 5552 using JSON messages with big-endian length prefixes. The campaign targets users in Italy.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 08:02:32 UTC

Technical Analysis

A malicious campaign impersonates an Italian banking brand through a fraudulent domain offering fake financial rewards to entice users to install a malicious Android application distributed via a Telegram bot outside official app stores. The initial APK functions as a dropper that installs a second-stage payload identified as Albiriox, an Android banking Remote Access Trojan. Albiriox exploits Android Accessibility services to perform overlay attacks, intercept SMS messages, steal credentials, and enable remote device control through a custom TCP-based command-and-control protocol using JSON messages framed with big-endian length prefixes on ports 5555 and 5552. Attribution to Albiriox is based on protocol similarities, behavioral patterns, and comparison with known samples. The campaign infrastructure relies on domain impersonation and social engineering with financial incentives to distribute the malware, primarily targeting users in Italy.

Potential Impact

The malware enables attackers to intercept SMS messages, capture user credentials, perform overlay attacks to deceive users, and remotely control infected Android devices. This can lead to unauthorized access to banking accounts and financial theft. The use of Accessibility services abuse increases the stealth and control capabilities of the malware on compromised devices.

Mitigation Recommendations

No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Users should avoid installing applications from unofficial sources, especially those distributed via social engineering or fraudulent domains. Organizations should educate users about phishing and brand impersonation tactics. Monitoring and blocking the identified malicious domains and hashes can help reduce exposure. Since the malware is distributed outside official app stores, restricting installation of apps from unknown sources on Android devices is recommended.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.d3lab.net/fake-banking-rewards-telegram-delivery-and-albiriox-anatomy-of-an-android-malware-campaign/"]
Adversary
null
Pulse Id
6a501da5e79e415cb0ec861e
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash6aa665d2f33f03a549c14edec772cf2c
hash146c62f408b6d7db4c832a6b5f7bdacb1cff2c69121b9b2f7e80646c37910abd
hash1e99972b1d84b131eb55a6b49f64871c5c0c6a1bb2a099a84313001b69dc53e8
hash206fdbe992b44ebd6720c49c79a5da3bdcb48d0d799a0ff3458323caac3cc490
hash4b9a95ebf5e471d11443fa2f19b75595fc1fcf6be234024cc1d4a2255068c19b
hashe0fc365c042e708c8d04b5431238958586194cc4a8cbe069411a26dcfcc4e9b6
hashefc81267da3ad48cc779e9aed8f9232504ed7c85abf3958a87ba2ae68056ae23
hashfb43c4191c40f159167a98a4ac20bf23ae66a8ec27a919f703e953933e22a266

Url

ValueDescriptionCopy
urlhttp://unicredit-tme.shop/

Domain

ValueDescriptionCopy
domainunicredit-tme.shop

Threat ID: 6a50a39468715ace433baa91

Added to database: 07/10/2026, 07:47:32 UTC

Last enriched: 07/10/2026, 08:02:32 UTC

Last updated: 07/10/2026, 08:02:32 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses