What happened
The Android Banking Malware deVixor actively targets users with ransomware capabilities. It has been identified as a growing mobile threat that combines credential theft and extortion in one platform. Since October 2025, deVixor samples have been distributed via fraudulent websites mimicking legitimate automotive brands, tricking victims into installing a malicious APK. Once installed, the malware intercepts SMS messages to harvest banking credentials from over 20 major financial institutions (including Bank Melli Iran, Bank Mellat, Binance, and Ramzinex) and injects WebView-based JavaScript to capture user input. The operation uses centralized infrastructure on Telegram and dual server systems (Firebase for commands, separate C2 for stolen data). A built-in ransomware module also locks infected devices and demands payment in TRON cryptocurrency.
Who is affected
Mobile users targeted via deceptive sites face direct exposure to credential theft and device lockouts; banking customers of targeted financial institutions and cryptocurrency platforms are at risk of unauthorized access and financial loss due to stolen authentication data.
Why CISOs should care
This campaign illustrates the evolution of Android malware into multi-vector criminal tools, combining credential harvesting, SMS interception, and ransomware extortion with robust infrastructure control. The threat highlights risks to mobile banking security, user trust, and the broader digital financial ecosystem.
3 practical actions
- Harden mobile defenses: Ensure mobile threat detection solutions are deployed and updated to identify malicious APK behavior and SMS interception techniques.
- Educate end users: Inform users about the dangers of installing apps from outside trusted app stores and recognizing phishing sites.
- Monitor for credential compromise: Integrate banking credential monitoring and alerting to detect unusual access patterns linked to this threat.