New Android Banking Malware "deVixor" Combines Ransomware with Credential Theft
Cyble researchers have uncovered deVixor, a sophisticated Android remote access trojan (RAT) targeting Iranian banking users with a blend of credential theft, surveillance, and ransomware capabilities. First detected in October 2023, the malware spreads via phishing websites impersonating automotive businesses, luring victims into downloading malicious APK files.
Originally focused on SMS harvesting, deVixor has rapidly evolved into a full-featured criminal platform. It now supports nearly 50 commands, including banking fraud, keylogging, ransomware deployment, and device surveillance. The malware leverages Firebase for command delivery and a Telegram-based bot infrastructure for scalable control, allowing attackers to evade detection while managing infections at scale.
Key features include:
- Credential theft: Harvests OTPs, banking credentials (via WebView-based JavaScript injection), and cryptocurrency exchange data.
- Surveillance: Captures keystrokes, screenshots, contacts, and device notifications while blocking uninstallation.
- Ransomware: Locks devices and demands TRON cryptocurrency payments, storing attack parameters in LockTouch.json to persist across reboots.
Cyble’s analysis of over 700 samples confirms deVixor is an actively maintained criminal service, with its Telegram channel suggesting broader future targeting. The malware’s modular design and persistent updates highlight the growing sophistication of Android banking threats, blending traditional fraud with disruptive ransomware tactics.
Source: https://thecyberexpress.com/android-banking-malware-devixor-ransomware/
Cyble cybersecurity rating report: https://www.rankiteo.com/company/cyble-global
"id": "CYB1768350463",
"linkid": "cyble-global",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Banking, Cryptocurrency',
'location': 'Iran (potential expansion)',
'type': 'Individual users'}],
'attack_vector': 'Phishing (malicious APK files via fake automotive discount '
'websites)',
'data_breach': {'data_encryption': 'Yes (ransomware module encrypts device '
'data)',
'data_exfiltration': 'Yes (sent to C&C server)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Banking credentials',
'OTPs',
'Account balances',
'Card numbers',
'Messages from '
'banks/cryptocurrency exchanges',
'Contacts',
'Keystrokes',
'Screenshots',
'Device notifications',
'Personally Identifiable '
'Information (PII)']},
'date_detected': 'October 2023',
'description': 'A new Android banking malware named deVixor can launch '
'ransomware attacks in addition to credential theft and user '
'surveillance. The malware targets Iranian banking users but '
'may expand due to its active Telegram-based distribution and '
'maintenance as a criminal service.',
'impact': {'data_compromised': 'Banking credentials, OTPs, account balances, '
'card numbers, messages from '
'banks/cryptocurrency exchanges, contacts, '
'keystrokes, screenshots, device '
'notifications, personally identifiable '
'information (PII)',
'identity_theft_risk': 'High',
'operational_impact': 'Device locking via ransomware, unauthorized '
'surveillance, credential theft',
'payment_information_risk': 'High',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Firebase for command '
'delivery, Telegram bot '
'for administration',
'entry_point': 'Phishing websites (fake automotive '
'discount offers)',
'high_value_targets': 'Iranian banking users '
'(potential expansion)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Modern Android banking malware has evolved into scalable, '
'service-driven criminal platforms with modular '
'capabilities, persistent configurations, and active '
'development cycles. Traditional detection mechanisms may '
'be evaded due to Telegram-based C&C infrastructure.',
'motivation': 'Financial abuse, credential theft, ransomware, device '
'surveillance',
'post_incident_analysis': {'corrective_actions': ['Improve detection of '
'Accessibility Service '
'abuse',
'Enhance phishing awareness '
'for Android users',
'Monitor Telegram channels '
'for threat intelligence',
'Implement stricter APK '
'installation policies'],
'root_causes': ['Exploitation of Android’s '
'Accessibility Service',
'Google Play Protect bypass '
'techniques',
'Phishing via malicious APK files',
'Use of Telegram-based C&C for '
'evasion']},
'ransomware': {'data_encryption': 'Yes (device locking)',
'data_exfiltration': 'Yes (ransom-related details sent to C&C)',
'ransom_demanded': 'Cryptocurrency (TRON)',
'ransomware_strain': 'deVixor ransomware module'},
'recommendations': ['Avoid downloading APK files from untrusted sources',
'Monitor for phishing campaigns targeting Android users',
'Enhance detection for Accessibility Service abuse',
'Implement multi-factor authentication (MFA) for banking '
'apps',
'Educate users on recognizing phishing attempts',
'Monitor Telegram channels for emerging threats'],
'references': [{'source': 'Cyble Research'}],
'threat_actor': 'Unknown (operating via Telegram-based infrastructure)',
'title': 'deVixor Android Banking Malware Campaign',
'type': 'Malware (Remote Access Trojan - RAT)',
'vulnerability_exploited': 'Exploitation of Android’s Accessibility Service, '
'Google Play Protect bypass techniques'}