A sophisticated Android banking malware known as deVixor is actively targeting users with combined financial data theft and ransomware capabilities. Security researchers have identified over 700 samples of this evolving threat since October 2025, indicating a persistent and developing campaign. The malware leverages fraudulent websites mimicking legitimate automotive companies to lure victims into downloading malicious APK files, ultimately leading to compromised devices.
The deVixor campaign is managed through Telegram-based infrastructure, allowing threat actors to maintain centralized control and rapidly deploy updates. This operational structure enables them to manage hundreds of infected devices simultaneously, each tracked with a unique identifier for command delivery. The malware utilizes a dual-server system for communication: Firebase for receiving commands and a separate command-and-control server for exfiltrating stolen data, enhancing operational flexibility and security for the attackers.
Cyble analysts have observed continuous development of deVixor, with each new version introducing enhanced capabilities and more refined evasion techniques designed to bypass security measures. This sophisticated evolution marks a significant advancement in Android-based threats, moving beyond simple data collection to encompass more aggressive extortion tactics as well.
Banking Credential Harvesting Through SMS Interception
The primary objective of deVixor is to harvest banking credentials by meticulously analyzing SMS messages on infected devices. The malware scans for financial content, specifically looking for banking-related information and one-time passwords. It employs regular expressions to extract sensitive data from messages originating from Iranian banks and cryptocurrency exchanges.
The malware specifically targets over 20 major financial institutions, including prominent names like Bank Melli Iran and Bank Mellat, as well as numerous cryptocurrency platforms such as Binance and Ramzinex. This focused approach suggests a well-researched and targeted attack strategy aimed at maximizing financial gain.
Credential harvesting is facilitated through JavaScript injection within WebView components. When a user interacts with a fake bank notification, it opens a malicious webpage designed to appear as a legitimate banking interface. The injected JavaScript then captures all user input, including login credentials and account details, which are subsequently transmitted directly to the threat actors. This method exploits user trust in official-looking interfaces to trick them into divulging sensitive information.
A particularly alarming feature of deVixor is its integrated ransomware module. Upon receiving a specific command, the malware can lock the device’s display and demand a ransom payment of 50 TRON cryptocurrency. The ransom message displays the attacker’s wallet address, and the device remains locked until the payment is received. Evidence from the threat actor’s Telegram channel indicates that these device locking and extortion tactics are actively being deployed against victims, demonstrating the malware’s potential for widespread disruption and financial harm.
The technical sophistication of deVixor highlights the evolving nature of Android banking malware. These threats are no longer limited to basic credential stealing, but have transformed into comprehensive criminal platforms capable of supporting multiple attack vectors, persistent surveillance, and direct financial extortion. The continuous development and deployment of such advanced malware pose a significant and ongoing risk to mobile users globally, necessitating robust security practices and vigilant monitoring from cybersecurity professionals.