https://pepelac.news/en/posts/id20902-beware-devixor-android-banking-trojan-with-ransomware

Beware deVixor: Android banking trojan with ransomware

deVixor Android banking trojan steals funds and locks phones

Beware deVixor: Android banking trojan with ransomware

deVixor is a new Android banking trojan that steals SMS codes and card data, injects fake banking pages, and can lock your phone for TRON ransom via Telegram.

2026-01-14T10:18:26+03:00

Cybersecurity researchers have flagged a new and dangerous threat to Android owners: a banking trojan dubbed deVixor that not only siphons money from victims’ accounts but also resorts to ransomware tactics.Specialists have identified more than 700 samples of the malware, with attacks continuing since October 2025. deVixor spreads through spoofed websites dressed up as pages of well-known automotive brands touting “bargain” offers. Visitors are prompted to download an APK, presented as an app for placing an order or getting more details—a lure designed to feel practical and harmless.Once installed, the trojan quietly embeds itself and gets to work, relying on a Telegram-based command-and-control setup. It also communicates with Firebase servers to receive instructions and transmit stolen data, a combination that makes detection and disruption noticeably harder by piggybacking on familiar platforms.The trojan’s main objective is financial theft. It scans SMS messages on the compromised device for banking notifications and one-time codes, and it harvests card numbers and account balances. Attackers also weaponize WebView and JavaScript injections to display convincing counterfeit banking pages where victims unwittingly enter their credentials.The most unsettling capability is its built-in extortion module. On command, the operators can lock the device’s screen and display a demand for a cryptocurrency payment in TRON—50 TRX—to a specified address. The phone remains inaccessible until those demands are met, turning a data theft into a full-blown shakedown.The emergence of deVixor underscores how cybercriminals continue to refine their toolkits, making attack platforms more flexible and more dangerous. Experts advise Android users to scrutinize where apps come from and avoid installing APK files from unverified sites, especially when an offer looks a little too good to be true.

deVixor, Android banking trojan, ransomware, TRON ransom, Telegram C2, Firebase, WebView injections, fake banking pages, SMS codes, card data theft, APK malware, Android security

2026

Danny Weber

news

deVixor Android banking trojan steals funds and locks phones

deVixor is a new Android banking trojan that steals SMS codes and card data, injects fake banking pages, and can lock your phone for TRON ransom via Telegram.

Danny Weber, Editor

10:18 14-01-2026

Specialists have identified more than 700 samples of the malware, with attacks continuing since October 2025. deVixor spreads through spoofed websites dressed up as pages of well-known automotive brands touting “bargain” offers. Visitors are prompted to download an APK, presented as an app for placing an order or getting more details—a lure designed to feel practical and harmless.

Once installed, the trojan quietly embeds itself and gets to work, relying on a Telegram-based command-and-control setup. It also communicates with Firebase servers to receive instructions and transmit stolen data, a combination that makes detection and disruption noticeably harder by piggybacking on familiar platforms.

The trojan’s main objective is financial theft. It scans SMS messages on the compromised device for banking notifications and one-time codes, and it harvests card numbers and account balances. Attackers also weaponize WebView and JavaScript injections to display convincing counterfeit banking pages where victims unwittingly enter their credentials.

The most unsettling capability is its built-in extortion module. On command, the operators can lock the device’s screen and display a demand for a cryptocurrency payment in TRON—50 TRX—to a specified address. The phone remains inaccessible until those demands are met, turning a data theft into a full-blown shakedown.

The emergence of deVixor underscores how cybercriminals continue to refine their toolkits, making attack platforms more flexible and more dangerous. Experts advise Android users to scrutinize where apps come from and avoid installing APK files from unverified sites, especially when an offer looks a little too good to be true.