Threat Research

deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran

Cyble
deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran

Cyble’s analysis describes deVixor, an evolving Android banking RAT distributed via fake automotive websites that deploy malicious APKs to Iranian users to harvest SMS-based financial data, capture credentials, perform keylogging, and surveil devices. The malware now includes WebView-based JavaScript injection, a remotely triggered ransomware module, and uses Telegram and Firebase for command-and-control and large-scale administration. #deVixor #IranianBanks

Keypoints

  • deVixor is an actively developed Android RAT that targets Iranian users via phishing sites posing as automotive businesses to distribute malicious APKs.
  • The malware evolved from SMS-harvesting to a full-featured RAT combining SMS and credential theft, keylogging, persistent surveillance, and remote control.
  • deVixor harvests banking and crypto-related SMS (OTPs, balances, card numbers) by scanning thousands of messages and parsing them with regex tied to Iranian banks and exchanges.
  • Credential harvesting uses WebView-based JavaScript injection and fake bank notifications to load legitimate bank pages and capture login data silently.
  • It contains a remotely triggered ransomware module that locks devices, stores ransom metadata in LockTouch.json, and demands payment to a TRON wallet.
  • The operation leverages Firebase for command delivery and a Telegram bot/channel for administration, updates, and large-scale device management.

MITRE Techniques

  • [T1660 ] Phishing – Used to distribute the malware via fraudulent websites. (‘Malware is distributed via a phishing site’)
  • [T1624.001 ] Event Triggered Execution: Broadcast Receivers – Registered BOOT_COMPLETED to activate on device startup. (‘deVixor registered the BOOT_COMPLETED broadcast receiver to activate on device startup’)
  • [T1541 ] Foreground Persistence – Maintains persistence using foreground services and notifications. (‘deVixor uses foreground services by showing a notification’)
  • [T1628.001 ] Hide Artifacts: Suppress Application Icon – Hides its app icon to avoid detection. (‘deVixor hides icon’)
  • [T1629.001 ] Impair Defenses: Prevent Application Removal – Implements measures to prevent uninstallation. (‘Prevent uninstallation’)
  • [T1629.003 ] Impair Defenses: Disable or Modify Tools – Disables Google Play Protect to evade defenses. (‘deVixor can disable Google Play Protect’)
  • [T1655.001 ] Masquerading: Match Legitimate Name or Location – Disguises itself as legitimate apps (e.g., YouTube) to blend in. (‘Masquerade as a YouTube app’)
  • [T1406 ] Obfuscated Files or Information – Uses encrypted C&C server URL to hide infrastructure details. (‘deVixor uses an encrypted C&C server URL’)
  • [T1517 ] Access Notifications – Collects device notifications for credential and transaction capture. (‘deVixor collects device notifications’)
  • [T1417.001 ] Input Capture: Keylogging – Captures keystrokes and stores keylogged data. (‘deVixor collects keylogged data’)
  • [T1417.002 ] Input Capture: GUI Input Capture – Captures GUI-entered banking credentials via injected WebView pages. (‘deVixor collects entered banking credentials’)
  • [T1418 ] Software Discovery – Gathers a list of installed applications on the device. (‘deVixor collects the installed application list’)
  • [T1426 ] System Information Discovery – Collects device information for profiling and tracking. (‘deVixor collects the device information’)
  • [T1532 ] Archive Collected Data – Compresses collected data and saves it to a .zip file before exfiltration. (‘deVixor compressing collected data and saving to a .zip file’)
  • [T1533 ] Data from Local System – Collects media (gallery photos) from the device. (‘deVixor collects media from the gallery’)
  • [T1636.003 ] Protected User Data: Contact List – Exfiltrates contact list data from infected devices. (‘Collects contact data’)
  • [T1636.004 ] Protected User Data: SMS Messages – Harvests SMS messages including OTPs and bank/crypto notifications. (‘Collects SMS data’)
  • [T1636.005 ] Protected User Data: Accounts – Collects account data present on the device. (‘deVixor collects Accounts data’)
  • [T1513 ] Screen Capture – Takes screenshots of the device for surveillance and credential capture. (‘deVixor can take Screenshots’)
  • [T1437.001 ] Application Layer Protocol: Web Protocols – Uses HTTPS/HTTPs for C2 communications. (‘Malware uses HTTPs protocol’)
  • [T1646 ] Exfiltration Over C2 Channel – Sends harvested data back to the C&C server. (‘deVixor sends collected data to the C&C server’)
  • [T1582 ] SMS Control – Sends SMS messages from infected devices to facilitate fraud and propagation. (‘deVixor can send SMSs from the infected device’)

Indicators of Compromise

  • [Domain/URL ] Distribution and payload hosting – hxxp://asankhodroo[.]shop, hxxp://www[.]naftyar.info/naftman.apk, hxxps://blupod[.]site/blupod.apk, and 5 more URLs used to host malicious APKs.
  • [File name ] Malicious APKs and local ransomware/config files – naftman.apk, LockTouch.json (ransomware config/metadata), and 5 more filenames (e.g., abfa.apk, blupod.apk, V6.apk).
  • [Infrastructure/Service ] Command-and-control and administration – Telegram channel and bot used for administration and updates; Firebase server used to deliver commands to infected devices.

Read more: https://cyble.com/blog/devixor-an-evolving-android-banking-rat-with-ransomware-capabilities-targeting-iran/