At least one Iranian consumer
January 20, 2026
•[ Android banking trojan, Remote-access trojan (RAT), Ransomware ]
Cyble Research and Intelligence Labs (CRIL) reported discovering deVixor, an advanced Android banking trojan that has remote-access (RAT) capabilities and can also deploy a ransomware-style device lock screen. The campaign explicitly targets Iranian users, distributing malicious APKs via phishing websites posing as legitimate automotive businesses and luring victims with heavily discounted vehicle offers. Once installed, deVixor prompts victims to grant high-risk permissions (contacts, SMS, media files, accessibility service), then harvests SMS data to extract banking information such as account balances, OTPs, bank alerts, credit card details, and crypto transaction data. It also uses WebView-based JavaScript injection to load real banking sites inside a hidden WebView and steal login credentials during authentication. In some cases, operators activate a ransom overlay that locks the device and demands payment to a cryptocurrency wallet. Cyble said it identified 700+ deVixor samples since October 2025 and observed indicators (Persian artifacts, targeted-app lists, Telegram infrastructure) suggesting strong familiarity with Irans financial ecosystem.
