Android Heist: How deVixor Malware Is Shaking Down Iranian Smartphone Users

It starts with a deal too good to be true - a shiny new car at a fraction of the price, advertised by what looks like a trusted dealership. But for hundreds of Iranian Android users, one click is all it takes to plunge into a digital nightmare. Behind these tempting offers lurks deVixor: a rapidly evolving cyber weapon wielded by criminals to loot bank accounts, spy on every move, and lock up phones for ransom.

Fast Facts

• deVixor is a sophisticated Android malware targeting Iranian users since October 2025.
• Spreads through phishing sites disguised as auto dealerships, distributing malicious APKs.
• Combines banking credential theft, device surveillance, and ransomware in one package.
• Demands cryptocurrency ransom (50 TRX) to unlock infected devices.
• Uses Telegram and Firebase for command control, evading traditional security tools.

Inside the deVixor Campaign: Anatomy of a Mobile Crimewave

Cybersecurity experts have traced more than 700 distinct deVixor samples - evidence of relentless development and sophistication. The malware’s infection vector is as cunning as it is simple: phishing websites, tailored in Persian and modeled after well-known automotive businesses, trick users into downloading infected Android apps (APKs). Once installed, these apps immediately seize control, demanding broad permissions such as access to contacts, SMS, storage, and even Android’s powerful Accessibility Services.

What makes deVixor especially dangerous is its multi-tool arsenal. Using WebView-based JavaScript injection, it intercepts credentials when victims log into legitimate banking apps, focusing on Iranian banks like Bank Melli Iran, Bank Mellat, and Bank Tejarat. It sifts through thousands of SMS messages, extracting one-time passwords (OTPs), account balances, and payment card numbers, even targeting Iran’s booming crypto exchanges including Ramzinex and Exir.

But deVixor doesn’t stop at theft. With a single remote command, attackers can activate a ransomware module, locking the user out of their own device and demanding a 50 TRX (Tron cryptocurrency) payment for release. The malware’s infrastructure is equally sophisticated, relying on Firebase for covert command delivery and Telegram bots for large-scale management. Each infected device is assigned a unique Bot ID, allowing attackers granular control and real-time oversight.

To stay hidden, deVixor masquerades as legitimate apps like YouTube, disables Google Play Protect, and even blocks uninstallation attempts. The malware persists through system reboots and foreground services, making removal a technical challenge. Evidence from Telegram channels shows hundreds of compromised devices, with attackers boasting about their reach and profits.

Security professionals urge Android users to be vigilant: only install apps from official stores, scrutinize website URLs, enable multi-factor authentication, and keep devices updated. If you suspect infection, immediate action - resetting credentials, alerting banks, and performing a factory reset - is vital to reclaim your device and finances.

Conclusion

deVixor isn’t just another piece of Android malware - it’s a glimpse into the future of mobile cybercrime, where financial theft, surveillance, and extortion converge in a single, relentless campaign. For Iranian users, the threat is urgent and real. For the rest of us, it’s a warning: in the digital bazaar, the next bargain might cost you everything.

WIKICROOK

• APK: An APK is an Android app installation file, letting users install apps outside the official Play Store. It can pose security risks if not from trusted sources.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• WebView: WebView is an embedded browser within an app, letting users view web content without leaving the application or opening a separate browser.
• Firebase: Firebase is a Google cloud platform for app development, sometimes misused by attackers for malware command and control or data theft.
• Telegram Bot: A Telegram Bot is an automated program on Telegram that can send or receive messages, often used for automation or by cybercriminals to manage malware.