By rssfeeds-admin 
The malware propagates through elaborate phishing websites that impersonate legitimate automotive businesses, enticing victims with heavily discounted vehicle offers.
These fraudulent sites distribute malicious APK files that, once installed, immediately request extensive permissions, including SMS access, contact lists, file system entry, and Android’s Accessibility Service capabilities.
Active since October 2025, cybersecurity researchers have cataloged over 700 malware samples demonstrating rapid evolution from basic SMS harvesting to advanced banking fraud instrumentation.
The malware employs WebView-based JavaScript injection to intercept credentials when victims access legitimate banking interfaces, while simultaneously scanning up to 5,000 SMS messages to extract one-time passwords, account balances, and payment card numbers from Iranian financial institutions.
A remotely triggered ransomware module can lock compromised devices and demand cryptocurrency payments of 50 TRX.
The malware leverages Firebase for command delivery and Telegram-based bot infrastructure for administration, enabling attackers to orchestrate infections at scale while circumventing traditional detection mechanisms.
Telegram channels operated by the threat actor reveal hundreds of simultaneously compromised devices, each assigned unique Bot IDs for granular individual control.
The campaign exhibits deliberate regional specialization, exclusively targeting Iranian banks, including Bank Melli Iran, Bank Mellat, Bank Tejarat, and domestic cryptocurrency exchanges such as Ramzinex, Exir, and Tabdeal.Linguistic artifacts and Persian-language phishing overlays confirm the geographic focus.
Technical analysis demonstrates deVixor’s comprehensive surveillance capabilities: harvesting contact databases, capturing keystrokes, taking screenshots, sending SMS messages to premium numbers, preventing application uninstallation, masquerading as YouTube to conceal its presence, and disabling Google Play Protect.
The malware maintains persistence through BOOT_COMPLETED broadcast receivers and foreground services, as reported by Cyble.
Security professionals advise installing applications exclusively from official sources, meticulously verifying URLs before interaction, enabling multi-factor authentication for financial services, deploying reputable mobile security solutions, and maintaining updated Android operating systems.
Users suspecting compromise should immediately contact financial institutions, reset all credentials, and perform factory device resets to eradicate persistent malware components.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Android Users Targeted by deVixor Banking Malware with Ransomware Capabilities. appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.