Spy, Steal, Lock: deVixor Android Trojan Hits Banking & Crypto Users

A sophisticated new threat has emerged in the mobile banking landscape, combining the stealth of a spy with the brutality of ransomware. Cyble Research and Intelligence Lab (CRIL) has released an analysis of deVixor, an actively developed Android banking malware campaign that has been aggressively targeting Iranian users since October 2025.

What started as a simple SMS harvester has mutated into a “fully featured Remote Access Trojan (RAT)” capable of taking total control over infected devices.

The campaign relies on a web of deceit to entrap victims. Threat actors are distributing the malware through “phishing websites that masquerade as legitimate automotive businesses,” tricking users into downloading malicious APK files under the guise of useful apps.

Once installed, deVixor requests a battery of intrusive permissions, allowing it to harvest “SMS-based financial information, including OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges”.

The CRIL report highlights that deVixor is not just a static tool but a modular platform designed for varied criminal objectives.

• Banking Fraud: It uses “WebView-based JavaScript injection to capture banking credentials” by loading legitimate bank login pages inside a controlled window, effectively Man-in-the-Middling the user’s session.
• Surveillance: The malware includes a “KEYLOGGER” capability to record user inputs and commands like “GET_SCREENSHOTS” and “GET_GALLERY” to steal personal media.
• Ransomware: Perhaps most alarmingly, the malware features a “remotely triggered ransomware module,” allowing attackers to lock users out of their own devices if stealing their data isn’t profitable enough.

The analysis indicates a “deliberate victim profiling and regional specialization,” with a specific focus on “Iranian banks, payment services, and cryptocurrency platforms”.

By leveraging Telegram for its command-and-control (C2) infrastructure, the attackers ensure rapid updates and resilience. “The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service”.

deVixor represents a significant evolution in Android malware. “deVixor is a feature-rich Android banking Trojan that reflects the latest evolution of Android malware,” combining fraud, espionage, and extortion into a single, dangerous package. Users in the region are advised to strictly avoid downloading apps from third-party websites, especially those promising automotive services.

Related Posts:

• Facebook and thousands of companies are spying on you
• Palo Alto Networks’ Unit 42 Reveals a New Cyber Threat in China: Financial Fraud APKs
• Zscaler found 150 Android apps infected with Windows malware
• Android App Bundles and Dynamic Delivery will customize application packages for different versions of Android