New Devixor Malware Combines Banking RAT and Ransomware Targeting Iranian Banks, Crypto Platforms, Payment Services
Published
Key Takeaways
- Complex Threat: Devixor is a sophisticated Android RAT that integrates financial data theft, credential harvesting, remote device control, and a ransomware module.
- Targeted Campaign: It is actively distributed through phishing websites masquerading as legitimate Iranian automotive businesses.
- Focused on Iran: The campaign specifically targets Iranian banks, payment services, and cryptocurrency platforms.
A new, feature-rich Android banking trojan named Devixor is actively targeting users in Iran through a large-scale phishing campaign. The malware, first observed in October 2025, has evolved from a simple SMS-harvesting tool into a full-fledged Remote Access Trojan (RAT).Â
It is distributed via malicious APK files downloaded from fake websites that pose as legitimate automotive companies. Researchers at Cyble have identified over 700 samples, suggesting a sustained and widespread infection effort.
Technical Capabilities and Distribution
The Devixor Android malware employs several advanced techniques to compromise devices and exfiltrate data, as the Cyble report said. Its variants evolved to introduce banking overlays, keylogging, ransomware, Google Play Protect bypass techniques, and extensive abuse of Android’s Accessibility Service.
It uses WebView-based JavaScript injection to capture login credentials from legitimate banking sites and systematically harvests SMS messages containing OTPs, account balances, and card numbers from Iranian banks and cryptocurrency exchanges.Â
Its command-and-control (C2) infrastructure is managed through Firebase for command delivery and a Telegram-based bot for administration, allowing operators to manage infected devices at scale.Â
Among the banks and payment services targeted by deVixor are:
- Bank Melli Iran
- Bank Mellat
- Bank Tejarat
- Bank Saderat Iran
- Bank Sepah
- Bank Maskan
- Bank Keshavarzi
- Bank Refah
- Bank Pasargad
- Bank Parsian
- Bank Ayandeh
- Bank Saman
- Bank Sina
- Bank Dey
- Post Bank Iran
- Middle East Bank
- Iran Zamin Bank
- Eghtesad Novin Bank
- Karafarin Bank
- Shahr Bank
- Hekmat Iranian Bank
- Industry & Mine Bank
- Export Development Bank of Iran
- Tavon Bank
- BluBank
- Iran Kish
A notable feature of this banking RAT with ransomware is its ability to be remotely triggered to lock a device and demand payment. Devixor displays a ransom note demanding cryptocurrency, and the ransomware state is kept across reboots.
Banking RAT Ransomware Risks
Its modular architecture enables threat actors to rapidly update the malware with new capabilities. The combination of financial fraud, credential theft, and extortion makes this Iran-targeted malware a particularly dangerous threat.Â
Users are advised to only download applications from official sources and be cautious of any app requesting extensive permissions, especially for Accessibility services.
In December, another Android banking trojan, FrogBlight, targeted Turkish users via smishing and fake government court file portals.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular