When Phones and Home Routers Become Silent Weapons: A Growing Cyber Threat You Shouldn’t Ignore

Aegiron 10 mins0

In December, security researchers noticed something worrying that affects everyday people, not just big companies. Android phones and home internet routers are being targeted more than ever before. According to recent threat findings, Android malware activity jumped sharply in 2025, and at the same time, thousands of home routers were quietly pulled into large cyberattack networks.

Two threats explain this trend clearly. One is Albiriox, an Android malware that turns phones into tools for banking fraud. The other is ShadowV2, a botnet that hijacks home and office routers and uses them to launch massive internet attacks. While they attack different devices, they work in very similar ways: trick the user, stay hidden, and abuse trust.

How Albiriox Turns an Android Phone Against Its Owner

Albiriox doesn’t break into phones using technical hacks. Instead, it relies on something much easier: convincing people to install it themselves.

It usually starts with a text message. The message contains a shortened link and claims to come from a trusted brand or service. In one major campaign, attackers pretended to be the Penny Market retail chain and focused on users in Austria. The link takes the victim to a page that looks like Google Play, but it’s fake.

When the user taps “Install,” a dangerous app is downloaded directly from the attacker’s server, not from Google Play. Some versions of the scam ask the user to enter their phone number and claim the app link will be sent through WhatsApp. Behind the scenes, the website checks if the number is Austrian and sends that information straight to the attacker through a Telegram bot.

Once the app is installed, it shows a fake “System Update” message and pressures the user to allow extra permissions. This is the most important step for the attackers. When the user agrees, the malware gains powerful control over the phone.

From that point on, Albiriox can:

  • See what’s on the screen
  • Record what the user types
  • Control the phone remotely
  • Bypass protections used by banking apps

The malware secretly connects to its control server using an unencrypted internet connection and sends details like the phone model and software version. It then stays connected using constant “heartbeat” messages so attackers always know the phone is online.

Albiriox is especially dangerous because it targets over 400 financial apps, including banks, payment apps, crypto wallets, and trading platforms. When the user opens one of these apps, the malware places a fake login screen on top of it and steals usernames and passwords. In some cases, it turns the screen black so the victim thinks the phone is idle while money is being moved in the background.

This malware is sold to criminals as a service, much like a subscription. It is promoted through underground forums and Telegram channels, and one name often linked to its development is Heron44. Signs of Albiriox infection include apps installed from outside Google Play, requests for accessibility permissions without a clear reason, fake system update screens, and suspicious connections to services like api[.]telegram[.]org.

How ShadowV2 Quietly Takes Over Home Routers

While phone malware grabs attention, router attacks often go unnoticed. ShadowV2 is based on Mirai, a well-known malware family that targets routers and smart devices instead of computers.

ShadowV2 works by scanning the internet for routers that still use default passwords or old software. Many home routers are never updated after installation, which makes them easy targets.

Once ShadowV2 finds a vulnerable router, it tries common usernames and passwords like “admin” or “root.” If it gets in, it downloads a small script called binary[.]sh from attacker servers such as 81[.]88[.]18[.]108. After that, the router is infected.

The router often keeps working normally, which is why people don’t notice. But in the background, it becomes part of a massive network of hijacked devices. ShadowV2 uses these routers to scan for more victims and to launch large internet attacks known as DDoS attacks.

An infected router may:

  • Send huge amounts of traffic without the owner knowing
  • Take part in attacks that knock websites offline
  • Block the owner from accessing the router’s settings

Some signs of infection include slow internet even when no one is using it, routers that feel unusually hot, random reboots, or router settings pages that stop responding. ShadowV2 traffic often uses ports like 23, 2323, 22, 6667, and 1080, and it frequently contacts public DNS servers such as 8[.]8[.]8[.]8.

ShadowV2 has been linked to known security flaws in routers from vendors like D-Link and TP-Link, including vulnerabilities such as CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375, among others.

Why These Two Threats Are a Bigger Problem Than They Seem

Albiriox and ShadowV2 show a clear shift in how cybercrime works today. Instead of attacking well-protected computers and servers, attackers are going after phones and routers—devices people trust and rarely monitor.

Phones hold banking access, personal data, and authentication apps. Routers quietly control everything that enters and leaves a home network. Once compromised, both can be abused for long periods without detection.

Common warning signs across both threats include:

  • Being asked to install apps from unknown sources
  • Apps demanding powerful permissions without good reasons
  • Unusual internet slowdowns or traffic spikes
  • Devices behaving normally on the surface but acting strangely underneath

What Actually Helps Protect Against These Attacks

The good news is that basic habits still make a huge difference.

For phones:

  • Only install apps from official stores
  • Be cautious with links sent by text message
  • Avoid granting accessibility permissions unless absolutely necessary

For routers:

  • Change default usernames and passwords immediately
  • Keep firmware updated
  • Disable remote access features you don’t use
  • Reboot and factory reset if something feels off

These threats are growing fast, but they still depend heavily on user trust and neglected devices. Paying attention to small warning signs can prevent phones and home networks from quietly becoming tools in someone else’s attack.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.