deVixor

deVixor is an actively developed Android banking remote access trojan (RAT) with ransomware capabilities, reported by Cyble Research and Intelligence Lab (CRIL) as targeting Iranian users since at least October 2025. It evolved from an early SMS-harvesting malware into a full-featured platform for bank fraud, credential theft, device surveillance, and extortion. CRIL analyzed more than 700 samples and assessed with high confidence that it is part of a mass infection campaign operating at scale.

The malware is distributed as malicious APK files via phishing websites masquerading as legitimate automotive businesses and luring victims with heavily discounted vehicle offers. Reported distribution URLs include hxxp://asankhodroo[.]shop, hxxp://www[.]asan-khodro.store, hxxp://www[.]naftyar.info/naftman.apk, hxxp://abfayar[.]info/abfa.apk, hxxps://blupod[.]site/blupod.apk, hxxps://naftman[.]oghabvip.ir/naftman.apk, hxxp://vamino[.]online.infochatgpt.com/vamino.apk, and hxxps://lllgx[.]site/mm/V6.apk.

deVixor uses Telegram-based infrastructure for administration and rapid updates, including a Telegram bot-based admin panel and a Telegram channel used to publish version updates, promote capabilities, and share operational screenshots. Each deployed APK is assigned a unique Bot ID stored locally in port.json. Operationally, it uses Firebase for command delivery and a separate decrypted C2 URL/server for data exfiltration.

Its capabilities include harvesting SMS-based financial data such as OTPs, account balances, card numbers, and messages from Iranian banks and cryptocurrency exchanges; scanning up to 5,000 SMS messages; keylogging; notification theft; screenshot capture; contact theft; gallery/media theft; device surveillance; anti-uninstall and stealth features; Google Play Protect bypass techniques; and extensive abuse of Android Accessibility Service. It also performs credential theft through WebView-based JavaScript injection by loading legitimate banking pages and stealing usernames and passwords entered into login forms, and can generate fake bank notifications to drive victims into those flows.

The malware shows strong regional specialization against Iranian financial institutions, payment services, and cryptocurrency platforms. Reported targeted banks and services include Bank Melli Iran, Bank Mellat, Bank Tejarat, Bank Saderat Iran, Bank Sepah, Bank Maskan, Bank Keshavarzi, Bank Refah, Bank Pasargad, Bank Parsian, Bank Ayandeh, Bank Saman, Bank Sina, Bank Dey, Post Bank Iran, Middle East Bank, Iran Zamin Bank, Eghtesad Novin Bank, Karafarin Bank, Shahr Bank, Hekmat Iranian Bank, Industry & Mine Bank, Export Development Bank of Iran, Tavon Bank, BluBank, and Iran Kish. Reported targeted cryptocurrency exchanges include Binance, CoinEx, Ramzinex, Exir, Tabdeal, Bitbarg, TetherLand, AbanTether, OkExchange, ArzDigital, IranCryptoMarket, Cryptoland, Bitex, and Excoino.

deVixor also includes a remotely triggered ransomware module activated via a RANSOMWARE command. The module stores the ransom note, TRON wallet address, and demanded amount in LockTouch.json to persist across reboots. Reported ransom messaging includes "Your device is locked. Deposit to unlock," and Telegram-posted screenshots described a demand of 50 TRX. Overall, the reporting describes deVixor as a maintained, service-like criminal platform combining financial theft, persistent device control, and extortion in a single Android malware family.