deVixor: The Android Malware That Steals Your Money — Then Locks Your Phone for Ransom

Aegiron 9 mins0

Date observed: 13 January 2026
Threat type: Mobile malware (Banking RAT + optional ransomware/locker)
Target platform: Android
Geographic focus: Iran
Severity: High

Executive overview

In mid-January 2026, a newly identified Android malware family named deVixor was observed actively targeting Android users in Iran. deVixor is not a single-purpose threat. It combines traditional Android banking trojan functionality with an on-demand ransomware module that can fully lock a victim’s device.

What makes this malware concerning is its flexibility. Attackers can decide whether they want to quietly steal banking credentials over time or immediately lock the phone and demand payment. This dual-use design suggests an organized operation focused on maximizing financial gain rather than random infections.

What happened

Victims were tricked into installing a malicious Android application that appeared legitimate. Once installed, the app abused Android’s Accessibility Service to gain deep control over the device. From there, it monitored banking activity, intercepted SMS messages, captured credentials, and, in some cases, activated a ransomware-style screen locker that prevented users from accessing their phones.

There is no evidence of a system-level Android vulnerability being exploited. The success of the attack relied entirely on social engineering and misuse of legitimate Android features.

How the attack happened

1. Initial infection vector

The initial access vector was SMS phishing (smishing) and messaging app lures. Messages were written in Persian and designed to look urgent and official. Common themes included:

  • Bank account verification warnings
  • Suspicious transaction alerts
  • Missed parcel or delivery issues
  • Government or telecom service notifications

Each message contained a link leading to an external website hosting a malicious APK.

2. Malicious APK delivery

The landing pages were simple but convincing, often mimicking:

  • Local bank portals
  • Government service pages
  • Mobile operator support sites

Users were instructed to download an APK and were given visual guidance on how to enable “Install unknown apps” if the device blocked the installation.

3. Permission abuse during setup

After installation, deVixor requested a combination of dangerous permissions:

  • Accessibility Service
  • Read and receive SMS
  • Draw over other apps
  • Run at startup

The app claimed these permissions were required for “secure verification” or “fraud prevention.”

Once Accessibility access was granted, the device was effectively compromised.

4. Command-and-control communication

After setup, the malware connected to a remote command-and-control (C2) server. It remained mostly idle until receiving instructions. Operators could:

  • Enable banking credential theft
  • Push overlay templates for specific banking apps
  • Activate or deactivate the ransomware/locker module
  • Update configuration files remotely

Malware functionality

Banking trojan features

  • Overlay attacks:
    deVixor displays fake login screens on top of real banking apps. Victims believe they are logging into their bank, but credentials are sent to attackers.
  • SMS interception:
    Incoming SMS messages, including one-time passwords (OTPs), are silently read and forwarded.
  • Keystroke monitoring:
    Using Accessibility, the malware captures text input across targeted applications.
  • Application tracking:
    The malware monitors which apps are opened, prioritizing financial and payment apps.

Ransomware / locker module

This module is not always enabled but can be activated remotely.

  • Device locking:
    The malware prevents access to the home screen and system settings.
  • Persistence after reboot:
    Locking behavior resumes automatically after restart.
  • Extortion message:
    A full-screen message demands payment, typically via cryptocurrency or local payment methods.

Evasion and persistence techniques

  • Hides its launcher icon after installation
  • Delays malicious activity to avoid sandbox detection
  • Uses encrypted communication with C2
  • Automatically restarts using Accessibility privileges

Payloads involved

  • Primary payload: Malicious Android APK containing the RAT core
  • Secondary payloads:
    • Banking overlay templates
    • Ransomware/locker module
    • Configuration files with target app lists and C2 details

No additional exploit payloads were observed.

Vulnerabilities exploited

No Android OS vulnerabilities were exploited. The attack relied on:

  • User trust in SMS and official-looking messages
  • Manual APK sideloading
  • Abuse of Accessibility Service permissions

Impacted sectors and victims

Impacted industries

  • Banking and financial services
  • Telecommunications
  • Government digital services (used mainly as lures)

Impacted users

  • Individual Android users, especially those who sideload apps
  • Users relying heavily on SMS-based banking authentication

Indicators of Compromise (IOCs)

Malicious package and file indicators

  • APK names resembling bank updates or service apps
  • Package names observed:
    • com[.]secure[.]update[.]bank
    • ir[.]service[.]verify[.]mobile
    • com[.]android[.]protect[.]access

Network indicators (C2 – observed patterns)

  • hxxps[:]//api[.]devixor-panel[.]online
  • hxxps[:]//sync[.]secure-access[.]site
  • hxxp[:]//45[.]138[.]72[.]91
  • hxxp[:]//185[.]225[.]69[.]44

(Domains and IPs rotated frequently; blocking should be behavior-based rather than static.)

Behavioral indicators

  • Accessibility Service enabled for an app that is not a screen reader
  • Banking apps showing unexpected login screens
  • SMS messages missing or not visible to the user
  • Device locking unexpectedly with a ransom message
  • Continuous background network traffic even when idle

Detection challenges

Traditional mobile antivirus solutions may miss deVixor because:

  • The malware uses legitimate Android APIs
  • Malicious behavior may not start immediately
  • Payloads are modular and delivered on demand

Behavioral monitoring and permission-abuse detection are more effective than signature-based methods.

Response and mitigation guidance

For security teams

  • Monitor for APK sideloading campaigns and SMS phishing waves
  • Alert on apps requesting Accessibility + SMS without strong justification
  • Correlate banking fraud events with mobile telemetry

For financial institutions

  • Educate users about fake app updates sent via SMS
  • Implement anti-overlay protections in mobile apps
  • Reduce reliance on SMS-only OTPs where possible

For affected users

  • Boot the device into safe mode
  • Revoke Accessibility permissions immediately
  • Remove suspicious applications
  • Reset banking credentials and monitor transactions

Final takeaway

deVixor represents a mature and financially motivated Android threat. Its ability to switch between silent banking fraud and aggressive ransomware gives attackers multiple monetization options from the same infection. The campaign shows how effective social engineering and permission abuse remain on mobile platforms, even without exploiting technical vulnerabilities.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.