Android Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities.

Android‑based financial malware has accelerated in complexity, and the recent emergence of deVixor illustrates that trend. First observed in October 2025, the trojan is delivered through counterfeit automotive‑sale websites that promise deep discounts on vehicles. When users click the malicious APK, the app installs silently and registers with a Telegram‑controlled command server. The campaign is heavily focused on Iran, as evidenced by Persian‑language phishing overlays and the targeting of 26 local banks and several cryptocurrency exchanges. By leveraging familiar e‑commerce themes, the attackers increase download rates and bypass casual user scrutiny.

Beyond simple credential theft, deVixor integrates surveillance and extortion tools that rival RATs. It scans up to 5,000 SMS messages to extract OTPs, balances, and card numbers, then injects malicious JavaScript into WebView login pages to capture credentials. A remote “RANSOMWARE” command can lock the device and demand 50 TRX to a Tron wallet, persisting through reboots via a locked JSON file. Command and control are split between Firebase for instructions and a separate server for data exfiltration, each implant identified by a unique Bot ID managed through a Telegram bot.

Security teams and mobile users must treat deVixor as a multi‑vector threat that blends banking trojan, RAT, and ransomware functionalities. Its focus on Iranian financial institutions threatens both traditional banks and emerging crypto platforms, potentially disrupting payment flows and eroding consumer confidence. Defenders should prioritize hardening app distribution channels, enforcing strict Play Store verification, and monitoring anomalous Firebase traffic or Telegram bot activity. Endpoint protection on Android devices needs to detect abnormal permission requests, WebView injections, and mass‑SMS harvesting behaviors. As attackers continue to monetize mobile access, the deVixor campaign underscores the urgency of coordinated industry response and user education.