New Android malware ‘deVixor’ adds ransomware capabilities

As reported by The Cyber Express, a new and evolving Android banking malware, dubbed deVixor, has been identified by researchers. This sophisticated remote access trojan (RAT) is not only capable of typical malicious activities like credential theft and user surveillance but has now incorporated ransomware functionalities, posing a significant threat to users.

The deVixor campaign, active since October, initially targeted Iranian banking users through phishing websites disguised as automotive businesses. Researchers have analyzed over 700 samples, indicating a mass infection campaign leveraging Telegram for command and control, enabling rapid updates and sustained evolution. DeVixor has progressed from basic SMS harvesting to a full-featured RAT, employing Firebase for command delivery and a Telegram bot infrastructure for administration.

Its capabilities include bank fraud, credential theft via JavaScript injection on legitimate banking pages, keylogging, ransomware attacks, and exploitation of Android's Accessibility Service. The malware can harvest OTPs, account balances, card numbers, and device notifications, while also preventing uninstallation and hiding its presence. The ransomware module can lock devices and demand cryptocurrency payments, storing infection details locally to persist across reboots.

Source: The Cyber Express