Cyble Research and Intelligence Labs (CRIL) has discovered deVixor, an advanced Android banking trojan with ransomware capabilities, which targets Iranian users through an elaborate phishing campaign masquerading as legitimate automotive businesses.
While the malware originally began with basic SMS-harvesting, it eventually grew to a fully-featured Remote Access Trojan (RAT), represents a significant escalation in mobile banking threats.
In cybersecurity terms, a “trojan” is a kind of malware that misleads users by disguising itself as a normal program, while “ransomware” refers to software intended to extort money by encrypting or otherwise blocking access to applications or files on a computer system until a sum of money is paid.
According to Rupali Parate, senior research engineer at Cyble, the deVixor RAT prompts victims to grant multiple high-risk permissions, including access to contacts, SMS messages, media files, and the accessibility service, once installed on an Android device.
READ: CloudSEK secures $10 million strategic investment from Connecticut Innovations (CI) (
After activation, the malware automatically scans SMS messages on the infected device to extract banking-related information such as account balances, one-time passwords (OTPs), bank alerts, credit card details, and cryptocurrency transaction data.
In addition to SMS harvesting, DeVixor also uses WebView-based JavaScript injection technique to load legitimate banking or financial websites inside a hidden WebView and injects malicious scripts to capture user credentials during login attempts.
Parate also mentioned that in addition to this, deVixor also incorporated a ransomware module, with the threat actor in certain cases activating an overlay ransom screen that locks the device and instructs the victim to transfer funds to a specified cryptocurrency wallet address in order to regain access.
CRIL identified deVixor while monitoring malicious and phishing websites distributing suspicious Android APK files. According to Parate, the targeting of Iranian users and institutions was explicit, and deliberate. Analysis of the APK revealed a predefined list of targeted banking and financial applications, all of which belong to Iranian banks, payment services, and cryptocurrency platforms.
Additional evidence includes Persian-language artifacts and screenshots shared within the associated Telegram channels, all of which suggest that the threat actor is familiar with the Iranian financial landscape.
READ: Did CISA acting director Madhu Gottumukkala fail a polygraph test? (
According to Cyble, over 700 samples of deVixor variants have been identified since October 2025. They were distributed through fraudulent websites posing as legitimate automotive companies, which lured in victims with heavily discounted vehicle offers, tricking them into downloading malicious APK files that install the banking trojan.
“deVixor demonstrates how Android banking malware has evolved into scalable, service-driven criminal platforms capable of long-term device compromise and multi-vector financial abuse,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. “The combination of banking fraud capabilities with ransomware functionality, all managed through Telegram infrastructure, makes this a particularly interesting and dangerous threat to mobile users in the region.”
In order to avoid being targeted by such malware, it has been recommended that people download applications only through trusted sources, and exercise caution with permissions and installs.
Watching out for phishing pages, enabling multi-factor authentication (MFA), reporting suspicious activity, using mobile security solutions, and keeping devices updated can all help ensure safety despite the growing presence of such fraudulent software.