Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign
This threat involves a malicious campaign impersonating an Italian banking brand to lure users with fake financial rewards. Victims are redirected to a Telegram bot that distributes a malicious Android APK outside official app stores. The APK acts as a dropper for a second-stage payload known as Albiriox, an Android banking Remote Access Trojan. Albiriox abuses Accessibility services, performs overlay attacks, intercepts SMS messages, captures credentials, and enables remote control via a custom TCP command-and-control protocol. The campaign uses domain impersonation and social engineering with financial incentives to spread the malware. Communication occurs over raw TCP sockets on ports 5555 and 5552 using JSON messages with big-endian length prefixes. The campaign targets users in Italy.
AI Analysis
Technical Summary
A malicious campaign impersonates an Italian banking brand through a fraudulent domain offering fake financial rewards to entice users to install a malicious Android application distributed via a Telegram bot outside official app stores. The initial APK functions as a dropper that installs a second-stage payload identified as Albiriox, an Android banking Remote Access Trojan. Albiriox exploits Android Accessibility services to perform overlay attacks, intercept SMS messages, steal credentials, and enable remote device control through a custom TCP-based command-and-control protocol using JSON messages framed with big-endian length prefixes on ports 5555 and 5552. Attribution to Albiriox is based on protocol similarities, behavioral patterns, and comparison with known samples. The campaign infrastructure relies on domain impersonation and social engineering with financial incentives to distribute the malware, primarily targeting users in Italy.
Potential Impact
The malware enables attackers to intercept SMS messages, capture user credentials, perform overlay attacks to deceive users, and remotely control infected Android devices. This can lead to unauthorized access to banking accounts and financial theft. The use of Accessibility services abuse increases the stealth and control capabilities of the malware on compromised devices.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Users should avoid installing applications from unofficial sources, especially those distributed via social engineering or fraudulent domains. Organizations should educate users about phishing and brand impersonation tactics. Monitoring and blocking the identified malicious domains and hashes can help reduce exposure. Since the malware is distributed outside official app stores, restricting installation of apps from unknown sources on Android devices is recommended.
Affected Countries
Italy
Indicators of Compromise
- hash: 6aa665d2f33f03a549c14edec772cf2c
- hash: 146c62f408b6d7db4c832a6b5f7bdacb1cff2c69121b9b2f7e80646c37910abd
- hash: 1e99972b1d84b131eb55a6b49f64871c5c0c6a1bb2a099a84313001b69dc53e8
- hash: 206fdbe992b44ebd6720c49c79a5da3bdcb48d0d799a0ff3458323caac3cc490
- hash: 4b9a95ebf5e471d11443fa2f19b75595fc1fcf6be234024cc1d4a2255068c19b
- hash: e0fc365c042e708c8d04b5431238958586194cc4a8cbe069411a26dcfcc4e9b6
- hash: efc81267da3ad48cc779e9aed8f9232504ed7c85abf3958a87ba2ae68056ae23
- hash: fb43c4191c40f159167a98a4ac20bf23ae66a8ec27a919f703e953933e22a266
- url: http://unicredit-tme.shop/
- domain: unicredit-tme.shop
Fake Banking Rewards, Telegram Delivery and Albiriox: Anatomy of an Android Malware Campaign
Description
This threat involves a malicious campaign impersonating an Italian banking brand to lure users with fake financial rewards. Victims are redirected to a Telegram bot that distributes a malicious Android APK outside official app stores. The APK acts as a dropper for a second-stage payload known as Albiriox, an Android banking Remote Access Trojan. Albiriox abuses Accessibility services, performs overlay attacks, intercepts SMS messages, captures credentials, and enables remote control via a custom TCP command-and-control protocol. The campaign uses domain impersonation and social engineering with financial incentives to spread the malware. Communication occurs over raw TCP sockets on ports 5555 and 5552 using JSON messages with big-endian length prefixes. The campaign targets users in Italy.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A malicious campaign impersonates an Italian banking brand through a fraudulent domain offering fake financial rewards to entice users to install a malicious Android application distributed via a Telegram bot outside official app stores. The initial APK functions as a dropper that installs a second-stage payload identified as Albiriox, an Android banking Remote Access Trojan. Albiriox exploits Android Accessibility services to perform overlay attacks, intercept SMS messages, steal credentials, and enable remote device control through a custom TCP-based command-and-control protocol using JSON messages framed with big-endian length prefixes on ports 5555 and 5552. Attribution to Albiriox is based on protocol similarities, behavioral patterns, and comparison with known samples. The campaign infrastructure relies on domain impersonation and social engineering with financial incentives to distribute the malware, primarily targeting users in Italy.
Potential Impact
The malware enables attackers to intercept SMS messages, capture user credentials, perform overlay attacks to deceive users, and remotely control infected Android devices. This can lead to unauthorized access to banking accounts and financial theft. The use of Accessibility services abuse increases the stealth and control capabilities of the malware on compromised devices.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Users should avoid installing applications from unofficial sources, especially those distributed via social engineering or fraudulent domains. Organizations should educate users about phishing and brand impersonation tactics. Monitoring and blocking the identified malicious domains and hashes can help reduce exposure. Since the malware is distributed outside official app stores, restricting installation of apps from unknown sources on Android devices is recommended.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.d3lab.net/fake-banking-rewards-telegram-delivery-and-albiriox-anatomy-of-an-android-malware-campaign/"]
- Adversary
- null
- Pulse Id
- 6a501da5e79e415cb0ec861e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash6aa665d2f33f03a549c14edec772cf2c | — | |
hash146c62f408b6d7db4c832a6b5f7bdacb1cff2c69121b9b2f7e80646c37910abd | — | |
hash1e99972b1d84b131eb55a6b49f64871c5c0c6a1bb2a099a84313001b69dc53e8 | — | |
hash206fdbe992b44ebd6720c49c79a5da3bdcb48d0d799a0ff3458323caac3cc490 | — | |
hash4b9a95ebf5e471d11443fa2f19b75595fc1fcf6be234024cc1d4a2255068c19b | — | |
hashe0fc365c042e708c8d04b5431238958586194cc4a8cbe069411a26dcfcc4e9b6 | — | |
hashefc81267da3ad48cc779e9aed8f9232504ed7c85abf3958a87ba2ae68056ae23 | — | |
hashfb43c4191c40f159167a98a4ac20bf23ae66a8ec27a919f703e953933e22a266 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://unicredit-tme.shop/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainunicredit-tme.shop | — |
Threat ID: 6a50a39468715ace433baa91
Added to database: 07/10/2026, 07:47:32 UTC
Last enriched: 07/10/2026, 08:02:32 UTC
Last updated: 07/10/2026, 08:02:32 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.