Mobile-Focused Threat Activity: Android Banking Trojan deVixor and QR-Code Phishing Growth
Reporting highlights an Android banking malware campaign dubbed deVixor that has been aggressively targeting Iranian users and has evolved from an SMS harvester into a modular RAT with banking fraud, surveillance, and a remotely triggered ransomware capability. Distribution is described as malicious APKs delivered via phishing sites masquerading as legitimate businesses; once installed, the malware requests extensive permissions to steal SMS/OTP data, card and account details, and content from banks and cryptocurrency services. The tooling reportedly supports WebView/JavaScript injection to capture credentials, keylogging and media theft (e.g., screenshot/gallery collection), and uses Telegram for command-and-control.
Separate reporting notes a surge in QR code phishing (“quishing”) against mobile users in 2025, where QR codes are used to redirect victims to credential-harvesting or otherwise malicious sites—reinforcing that mobile users are being targeted through multiple social-engineering delivery paths beyond traditional links. Two additional items reference a China-nexus actor (UAT-7290) targeting telecoms and Astaroth (“Boto Cor-de-Rosa”) banking malware pivoting to WhatsApp, but the provided excerpts contain insufficient detail to confirm they describe the same specific mobile-banking event as deVixor or the same QR-phishing reporting.
Sources
Related Stories
Mobile and RAT Malware Campaigns Targeting Asia and Banking Users
Reporting over the past week highlighted multiple active malware campaigns, including a **second-stage ValleyRAT payload (ValleyRAT_S2)** targeting organizations in **China, Hong Kong, Taiwan, and Southeast Asia**. The ValleyRAT_S2 stage was reported to spread via **counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing attachments**, using **DLL side-loading** and library name mimicry to evade defenses. Post-install activity includes **system reconnaissance**, persistence via **Steam event–masquerading callbacks**, staging in `%TEMP%`, and capabilities such as **keystroke logging** and **local data exfiltration**. Separately, researchers described an evolving **Android banking/RAT threat dubbed deVixor**, with **700+ samples** observed since **October 2025**, distributed through **fraudulent websites impersonating automotive brands** to trick users into installing a malicious APK. The operation reportedly uses **Telegram-based infrastructure** for management and updates, with a dual-channel architecture where **Firebase** delivers attacker commands and a separate **C2** receives stolen data; SMS-based techniques are used to harvest banking-related information. A vendor report also warned that **GravityRAT** has reemerged as a **multi-platform RAT** (Windows/macOS/Android) with expanded mobile data theft and persistence capabilities, underscoring increased targeting of smartphones for sensitive file and backup exfiltration.
2 months ago
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
1 weeks ago
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
1 weeks ago