In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
From Hype to Production: Voice AI in 2025
Voice AI has crossed into production. Deepgram’s 2025 State of Voice AI Report with Opus Research quantifies how 400 senior leaders - many at $100M+ enterprises - are budgeting, shipping, and measuring results.
Adoption is near-universal (97%), budgets are rising (84%), yet only 21% are very satisfied with legacy agents. And that gap is the opportunity: using human-like agents that handle real tasks, reduce wait times, and lift CSAT.
Get benchmarks to compare your roadmap, the first use cases breaking through (customer service, order capture, task automation), and the capabilities that separate leaders from laggards - latency, accuracy, tooling, and integration. Use the findings to prioritize quick wins now and build a scalable plan for 2026.
Albiriox & RadzaRat: The New Android MaaS Threats Supercharging On-Device Fraud
A wave of new Android malware-as-a-service (MaaS) platforms is reshaping mobile cybercrime. Two tools — Albiriox and RadzaRat — are now being sold to low-skill attackers, offering full remote control, real-time fraud capabilities, and automated credential theft. These tools bypass many mobile security controls by abusing Android accessibility features, overlay attacks, and social engineering distribution methods.
Context
Android remains the primary target for mobile fraud operations due to its open app ecosystem and global device reach. Financial institutions have increased app-level protections (e.g., FLAG_SECURE), pushing threat actors toward on-device fraud (ODF) toolkits that operate inside legitimate user sessions. Albiriox and RadzaRat represent the latest evolution of that trend.
What Happened
Security researchers identified Albiriox, an ODF-focused malware advertised under a MaaS model since late 2025. It targets over 400 financial, crypto, and payment apps. Meanwhile, a second MaaS tool, RadzaRat, surfaced in criminal forums, impersonating a file manager while enabling full surveillance and remote access. Both campaigns use fake Google Play pages, SMS phishing, and social engineering to deliver dropper APKs.
Technical Breakdown
Distribution:
Social engineering lures, SMS links, fake Google Play pages, and download prompts disguised as routine app updates.Initial Access:
Dropper apps request permission to install additional software, leading to deployment of the main malware.Remote Access:
• VNC-based remote control
• Accessibility service abuse for node-level interface capture
• Unencrypted TCP C2 connections
• Real-time device manipulation (screens, audio, overlays)Fraud Capabilities:
• Credential theft via overlays
• Stealth screens (black, blank, fake updates)
• Automated session hijacking
• Dynamic information harvesting (wallets, banking apps, crypto accounts)Persistence:
• Boot receiver components
• Battery optimization bypass
• Background process hardeningAdditional Threats:
The ecosystem also includes BTMOB, GPT Trade lures, and adult-content fake sites delivering heavily obfuscated multi-stage malware.
Impact Analysis
These platforms give even low-skill attackers the ability to:
Take complete control of a victim’s device
Bypass app-level anti-fraud controls
Steal credentials, initiate transactions, and manipulate screens undetected
Conduct scalable fraud campaigns with minimal operational complexity
The inclusion of over 400 hard-coded financial targets signals clear intent: large-scale fraud and direct monetary theft.
Why It Matters
On-device fraud is now the dominant threat to mobile banking and crypto customers. Traditional fraud systems — which look for suspicious login locations, IP anomalies, or credential misuse — fail when the attacker is operating from inside the legitimate session.
MaaS offerings like these lower the barrier to entry and accelerate attacker adoption.
Expert Commentary
Security researchers warn that the democratization of Android ODF toolkits represents a major shift.
“These toolkits allow attackers to bypass authentication by operating directly within the victim’s session,” Cleafy noted.
“Accessibility-based automation and VNC control make traditional fraud detection almost irrelevant.”
Key Takeaways
Two new Android MaaS tools — Albiriox and RadzaRat — deliver full on-device fraud capabilities.
Attackers abuse accessibility services to capture screens and automate interaction.
Social engineering distribution remains the primary infection vector.
Over 400 financial and crypto apps are explicitly targeted.
These platforms enable large-scale fraud with minimal attacker skill.
Organizations must treat mobile devices as part of the critical attack surface and deploy behavioral fraud detection.