InfoSecBulletin Cybersecurity for mankind
A new Android banking trojan called deVixor poses a serious risk to mobile users, featuring financial data theft, device surveillance, and ransomware in one malicious tool.
The malware, active since October 2025, is a significant threat to Android users, luring victims with fake car websites and using Telegram for control.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
The malware spreads through fake websites pretending to be real car businesses, attracting victims with low-priced vehicle deals.
Cyble Research and Intelligence Lab (CRIL) analyzed over 700 samples and found a widespread infection campaign by threat actors using misleading distribution techniques.
The campaign uses advanced social engineering, with fake domains like asankhodroo[.]shop, asan-khodro.store, and naftyar.info spreading malware.
Evidence shows that the operation targets Iranian users, indicated by language used in Telegram messages, Persian phishing schemes, and a focus on Iranian banks and local cryptocurrency exchanges, highlighting the regional threat.
The malware gathers financial data from SMS by scanning up to 5,000 messages for OTPs, account balances, card numbers, and messages from banks and crypto exchanges.
The trojan specifically targets 26 Iranian banks like Bank Melli Iran, Bank Mellat, Bank Tejarat, and Bank Saderat Iran, as well as 14 cryptocurrency exchanges including Binance, CoinEx, Ramzinex, and Exir.
deVixor uses WebView-based JavaScript injection attacks to steal banking credentials, in addition to SMS harvesting.
deVixor has a troubling feature: it can trigger ransomware remotely. When attackers use the “RANSOMWARE” command, it locks the victim’s device and shows a message demanding cryptocurrency for release.
Based on screenshots shared on the threat actor’s Telegram channel, victims see a message stating “Your device is locked. Deposit to unlock” along with a TRON cryptocurrency wallet address and a demand of 50 TRX tokens.
The latest versions support over 50 commands for total device control, including keystroke capture, screenshot collection, notification access, contact extraction, gallery access, and app disguise.
Version 2 introduced additional commands such as SEARCH_ALL_SMS for keyword-based message searching, NOTIFICATION_READER for collecting device notifications, and GET_ALL_SENT_SMS for exfiltrating sent message history.
