Tuesday , July 14 2026
deVixor

Android Banking Malware “deVixor” Targets Users with Ransomware capabilities

A new Android banking trojan called deVixor poses a serious risk to mobile users, featuring financial data theft, device surveillance, and ransomware in one malicious tool.

The malware, active since October 2025, is a significant threat to Android users, luring victims with fake car websites and using Telegram for control.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

The malware spreads through fake websites pretending to be real car businesses, attracting victims with low-priced vehicle deals.

Cyble Research and Intelligence Lab (CRIL) analyzed over 700 samples and found a widespread infection campaign by threat actors using misleading distribution techniques.

The campaign uses advanced social engineering, with fake domains like asankhodroo[.]shop, asan-khodro.store, and naftyar.info spreading malware.

Evidence shows that the operation targets Iranian users, indicated by language used in Telegram messages, Persian phishing schemes, and a focus on Iranian banks and local cryptocurrency exchanges, highlighting the regional threat.

The malware gathers financial data from SMS by scanning up to 5,000 messages for OTPs, account balances, card numbers, and messages from banks and crypto exchanges.

The trojan specifically targets 26 Iranian banks like Bank Melli Iran, Bank Mellat, Bank Tejarat, and Bank Saderat Iran, as well as 14 cryptocurrency exchanges including Binance, CoinEx, Ramzinex, and Exir.

deVixor uses WebView-based JavaScript injection attacks to steal banking credentials, in addition to SMS harvesting.

deVixor has a troubling feature: it can trigger ransomware remotely. When attackers use the “RANSOMWARE” command, it locks the victim’s device and shows a message demanding cryptocurrency for release.

Based on screenshots shared on the threat actor’s Telegram channel, victims see a message stating “Your device is locked. Deposit to unlock” along with a TRON cryptocurrency wallet address and a demand of 50 TRX tokens.

The latest versions support over 50 commands for total device control, including keystroke capture, screenshot collection, notification access, contact extraction, gallery access, and app disguise.

Figure 6 – Firebase command execution (left) and decryption of C&C server URL (Right)

Version 2 introduced additional commands such as SEARCH_ALL_SMS for keyword-based message searching, NOTIFICATION_READER for collecting device notifications, and GET_ALL_SENT_SMS for exfiltrating sent message history.

Check Also

Tenda

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to …