DeVixor¶
DeVixor is an Iranian Android banking RAT with ransomware capability discovered by Cyble in late 2025. With over 700 samples identified, DeVixor has evolved from a simple SMS harvester into a full-featured remote access trojan capable of banking fraud, credential theft, and file encryption with ransom demands payable via TRON cryptocurrency wallets. The malware uses Firebase for command-and-control communication and Telegram bots for administrative functions, allowing the developer to manage infections and receive alerts through Telegram channels. Distribution relies on phishing sites that impersonate Iranian automotive businesses. The developer openly operates a Telegram channel where version updates are published, demonstrating the brazen operational security posture common among Iranian cybercriminals who face minimal domestic law enforcement risk when targeting local victims.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Pre-2025 (evolved from earlier SMS harvester) |
| Status | Active, under continued development |
| Type | Banking RAT, ransomware, credential stealer |
| Aliases | None known |
| Attribution | Iranian developer (individual) |
| Distribution | Phishing sites impersonating Iranian automotive businesses |
Origin and Lineage¶
Cyble's analysis documented DeVixor's evolution from a basic SMS harvesting tool into a comprehensive banking RAT. The earliest versions focused solely on intercepting SMS messages, a capability commonly used to capture one-time passwords for Iranian banking services. Over successive versions, the developer added banking overlay attacks, credential theft, remote access functionality, and ultimately a ransomware module.
The developer maintains a public Telegram channel where new versions are announced and feature updates are published. This open development model is characteristic of Iranian Android malware authors who operate with relative impunity within Iran's cybercrime ecosystem, particularly when their tools target domestic victims. The Telegram channel serves as both a marketing platform for potential buyers and a distribution point for updates.
The identification of over 700 samples indicates prolific distribution or widespread adoption by multiple operators. This volume is significantly higher than targeted surveillance tools (which typically produce fewer than 50 samples) and aligns with financially motivated campaigns that prioritize scale.
Distribution¶
| Vector | Details |
|---|---|
| Automotive phishing sites | Fake websites impersonating Iranian car manufacturers and dealerships |
| Social engineering | Victims directed to download apps from phishing sites via messaging platforms |
The automotive industry lure is specifically tailored to the Iranian market. Car purchases in Iran frequently involve complex installment plans, registration processes, and government subsidy applications, all of which can be plausibly digitized into a mobile app. Victims downloading what they believe is an automotive services app are unlikely to question permission requests for SMS access, storage, and accessibility services, as these could be reasonably expected for a transaction management application.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Banking overlay attacks | Displays fake login screens over Iranian banking applications |
| Credential theft | Captures banking credentials, passwords, and authentication tokens |
| SMS interception | Reads and exfiltrates SMS messages, capturing OTPs and 2FA codes |
| Remote access | Full device control via RAT functionality |
| Ransomware | Encrypts device files and demands ransom via TRON cryptocurrency wallet |
| Contact exfiltration | Harvests the victim's contact list |
| Call log harvesting | Extracts call history |
| Screen capture | Takes screenshots of the device display |
Banking Fraud¶
DeVixor targets Iranian banking applications with overlay attacks that display fake login screens when the victim opens a banking app. The overlays capture credentials, which are then used for unauthorized account access. Combined with SMS interception for OTP capture, the malware provides operators with everything needed to perform fraudulent transactions on the victim's banking accounts.
Ransomware Module¶
The ransomware capability encrypts files on the device and presents a ransom demand payable to a TRON blockchain wallet address. TRON is a popular cryptocurrency choice for Iranian threat actors because it offers low transaction fees and is accessible through exchanges that do not enforce strict KYC (Know Your Customer) requirements. The combination of banking fraud and ransomware in a single tool allows operators to monetize infections through multiple channels: stealing funds directly from bank accounts and extorting the victim for file recovery.
Technical Details¶
Firebase C2¶
DeVixor uses Google Firebase for command-and-control communication. Firebase provides a reliable, high-availability infrastructure that blends with legitimate Android app traffic. Commands are delivered to infected devices through Firebase messaging, and configuration updates can be pushed in real time without requiring the malware to poll a traditional C2 server.
Telegram Bot Administration¶
Operators manage DeVixor infections through Telegram bots. The bots provide real-time notifications when new devices are infected, allow operators to issue commands to specific devices, and relay exfiltrated data. This architecture eliminates the need for a dedicated C2 panel, leveraging Telegram's existing infrastructure for operational management.
| Infrastructure | Purpose |
|---|---|
| Firebase | C2 communication, command delivery, configuration updates |
| Telegram bots | Administrative interface, infection notifications, data relay |
| TRON wallet | Ransomware payment collection |
Evolution Timeline¶
| Phase | Capabilities |
|---|---|
| Early versions | SMS harvesting only |
| Mid-development | Added banking overlays and credential theft |
| Current version | Full RAT with banking fraud, credential theft, remote access, and ransomware |
Target Regions¶
| Region | Details |
|---|---|
| Iran | Exclusive target: Iranian banking users and device owners |
DeVixor targets Iranian users exclusively. The phishing sites impersonating automotive businesses, the banking overlay targets focusing on Iranian financial institutions, and the developer's public Telegram channel all confirm a purely domestic targeting scope. This exclusive focus on Iranian victims is consistent with the broader ecosystem of Iranian Android malware, where developers operate openly within Iran while targeting local users for financial gain.
Notable Campaigns¶
Pre-2025 (evolution period): DeVixor evolves from a basic SMS harvester through successive development iterations, adding banking overlays, credential theft, and remote access capabilities. The developer publishes updates through a Telegram channel, building out the tool's feature set incrementally.
Late 2025: Cyble publishes their analysis documenting DeVixor as a fully evolved banking RAT with ransomware capability. The research identifies over 700 samples, Firebase-based C2 infrastructure, Telegram bot administration, and distribution through automotive phishing sites. The ransomware module demanding TRON cryptocurrency payments is highlighted as a notable feature combining banking fraud and extortion in a single tool.
Related Families¶
| Family | Relationship |
|---|---|
| Rafel RAT | Both combine RAT functionality with ransomware capability on Android, a relatively uncommon pairing. Rafel RAT is open-source with global targeting across 120+ campaigns, while DeVixor is a closed-source tool targeting Iranian users exclusively. Both use cryptocurrency for ransom payments. |
| Fakecalls | Both are regional banking trojans focused on a single domestic market. Fakecalls targets South Korean banking users with voice call interception, while DeVixor targets Iranian banking users with overlay attacks and ransomware. Both demonstrate how banking trojans are adapted to specific national financial ecosystems. |