Cleafy LABS

(7/7) IOCs: 🔹 Dropper MD5: 612e1e4cef13c5c1f5f155d5b1a73016 🔹 Payload MD5 (TeaBot): 574742ad9a1eb519fce8b7c2b8795677 🔹 Play Store: hxxps://play.google[.]com/store/apps/details?id=com.backforge.olimpic.axiomdrivecenter

(6/7) Following our analysis, the Cleafy Labs team responsibly disclosed all findings to Google. The application was removed from the Play Store on February 19, 2026. We thank Google for the prompt action taken following our report.

🚨 (1/7) Guess who's back? We identified a new dropper associated with the TeaBot banking trojan within the Google Play Store, with over 100K downloads. The malicious app masquerades as a PDF reader/file manager and has been active from 12th to 19th February 2026.

[4/4] Our technical analysis is available here 👇 cleafy.com/cleafy-labs/al…

[3/4] Albiriox exhibits the core features of modern Android Banking Trojans, enabling TAs to perform On-Device Fraud (ODF) through remote control, screen manipulation, and real-time interaction with the infected device.

[1/4] 🚨 We tracked Albiriox, a newly identified Android malware family offered as a Malware-as-a-Service (MaaS). Hardcoded targets indicate a broad target spectrum, encompassing major banking and cryptocurrency applications worldwide.

(6/6) Read the full technical analysis here: cleafy.com/cleafy-labs/kl…

(5/6) Active Campaigns in Europe: At the time of analysis, two main botnets were identified, actively compromising over 3,000 devices, with campaigns heavily focused on financial targets in Spain and Italy.

(1/6) 🚨 In our latest investigation, we discovered and analyzed Klopatra, a new Android Remote Access Trojan (RAT) that was previously unknown and had no apparent connections to known malware families.

(6/6) IOCs: 1b022ac761a077f0116bb427b6cf8315a86aa654ae0cd55a6616647bbeb769c4 d392372928571662e4e59b0e3ff52a0e39a8f062633a4f5bdafc681bcdcdcf22

(5/6) A TLP:AMBER version is available for relevant financial CERTs, banking institutions, and trusted researchers and analysts within the community. Contact us at labs@cleafy[.]com to request access.

(1/6) 🚨 Our team tracked a large-scale MaaS operation that deployed PlayPraetor to infect over 11,000 Android devices globally. PlayPraetor is an Android RAT that facilitates On-Device Fraud (ODF) by giving operators complete real-time control over compromised devices.