A new Android banking malware can launch ransomware attacks in addition to more typical activities like credential theft and user surveillance. The “deVixor” remote access trojan (RAT) was detailed by Cyble researchers in a new blog post. While focused on Iranian banking users for now, the malware developer’s active Telegram channel suggests that the malware could eventually find wider use. As Cyble noted, “The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation.” “DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse,” the researchers added.

Android Banking Malware DeVixor’s Many Capabilities

The deVixor campaign has been active since October, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses promising deep discounts to lure users into downloading malicious APK files. Cyble said its analysis of more than 700 samples “indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.” DeVixor has evolved from basic SMS harvesting into a full-featured RAT that offers bank fraud, credential theft, ransomware, and device surveillance from a single platform. The Android banking malware uses Firebase for command delivery and a Telegram-based bot infrastructure for administration, “allowing attackers to manage infections at scale and evade traditional detection mechanisms.” Evolving from early versions that primarily focused on collecting PII and harvesting banking-related SMS messages, the malware has evolved rapidly, adding banking-related overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and exploitation of Android’s Accessibility Service. The RAT uses a Telegram bot–based admin panel for issuing commands, and each APK deployed is assigned a unique Bot ID stored in a local port.json file, allowing the operator to monitor and control individual devices. Cyble listed nearly 50 commands that the malware can execute. DeVixor can harvest OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges. It captures banking credentials by loading legitimate banking pages inside a WebView-based JavaScript injection. The malware can also collect all device notifications, capture keystrokes, prevent uninstallation, hide its presence, harvest contacts, and take screenshots. “Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations,” the researchers said. “The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service,” Cyble said.

Android Ransomware

The Android banking malware also includes “a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments,” the researchers said. After the RANSOMWARE command is issued, the malware receives the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the ransom demand. Details are stored locally in a file called LockTouch.json, which retains the ransomware infection across device reboots. Based on screenshots posted on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays the ransom message “Your device is locked. Deposit to unlock,” along with the attacker’s TRON wallet address. The malware also sends device identifiers and ransom-related details to the command and control (C&C) server to track victim status and compliance with demands.

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).