Mobile-Focused Threat Activity: Android Banking Trojan deVixor and QR-Code Phishing Growth
Reporting highlights an Android banking malware campaign dubbed deVixor that has been aggressively targeting Iranian users and has evolved from an SMS harvester into a modular RAT with banking fraud, surveillance, and a remotely triggered ransomware capability. Distribution is described as malicious APKs delivered via phishing sites masquerading as legitimate businesses; once installed, the malware requests extensive permissions to steal SMS/OTP data, card and account details, and content from banks and cryptocurrency services. The tooling reportedly supports WebView/JavaScript injection to capture credentials, keylogging and media theft (e.g., screenshot/gallery collection), and uses Telegram for command-and-control.
Separate reporting notes a surge in QR code phishing (“quishing”) against mobile users in 2025, where QR codes are used to redirect victims to credential-harvesting or otherwise malicious sites—reinforcing that mobile users are being targeted through multiple social-engineering delivery paths beyond traditional links. Two additional items reference a China-nexus actor (UAT-7290) targeting telecoms and Astaroth (“Boto Cor-de-Rosa”) banking malware pivoting to WhatsApp, but the provided excerpts contain insufficient detail to confirm they describe the same specific mobile-banking event as deVixor or the same QR-phishing reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CRIL publicly reports deVixor campaign details
On publication, Security Online summarized CRIL's findings on the deVixor Android malware campaign, including its focus on Iranian banking and cryptocurrency users and its expanded RAT and ransomware capabilities. This marked the public disclosure of the campaign's technical details and targeting patterns.
Report highlights surge in QR code phishing attacks targeting mobile users
A report cited by Zimperium said QR code-based phishing attacks surged during 2025, with campaigns redirecting mobile users to malicious websites designed to steal credentials and other sensitive data. The activity was presented as part of Zimperium's Mobile Threat Watch coverage and attributed to reporting from Cybersecurity Insiders.
deVixor evolves into a modular banking trojan and RAT
During the campaign, deVixor reportedly evolved from an SMS harvester into a more capable Android malware platform with banking fraud, surveillance, credential theft, keylogging, data exfiltration, and device-locking ransomware functions. The malware used WebView-based credential theft against banks and crypto services and relied on Telegram for command-and-control.
deVixor Android malware campaign begins targeting Iranian users
Cyble Research and Intelligence Lab reported that the deVixor Android banking malware campaign has aggressively targeted users in Iran since October 2025. The malware was distributed through phishing websites impersonating legitimate automotive businesses to trick victims into installing malicious APKs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mobile and RAT Malware Campaigns Targeting Asia and Banking Users
Reporting over the past week highlighted multiple active malware campaigns, including a **second-stage ValleyRAT payload (ValleyRAT_S2)** targeting organizations in **China, Hong Kong, Taiwan, and Southeast Asia**. The ValleyRAT_S2 stage was reported to spread via **counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing attachments**, using **DLL side-loading** and library name mimicry to evade defenses. Post-install activity includes **system reconnaissance**, persistence via **Steam event–masquerading callbacks**, staging in `%TEMP%`, and capabilities such as **keystroke logging** and **local data exfiltration**. Separately, researchers described an evolving **Android banking/RAT threat dubbed deVixor**, with **700+ samples** observed since **October 2025**, distributed through **fraudulent websites impersonating automotive brands** to trick users into installing a malicious APK. The operation reportedly uses **Telegram-based infrastructure** for management and updates, with a dual-channel architecture where **Firebase** delivers attacker commands and a separate **C2** receives stolen data; SMS-based techniques are used to harvest banking-related information. A vendor report also warned that **GravityRAT** has reemerged as a **multi-platform RAT** (Windows/macOS/Android) with expanded mobile data theft and persistence capabilities, underscoring increased targeting of smartphones for sensitive file and backup exfiltration.
Mar 21, 2026
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Mar 24, 2026
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Mar 21, 2026