DeVixor: An Evolving Android Banking RAT With Ransomware Capabilities Targeting Iran - Cyble
Cyble analyzed deVixor, an advanced Android banking RAT with ransomware features actively targeting Iranian users.
cyble.com
Cyble analyzes deVixor, an advanced Android banking RAT with ransomware features actively targeting Iranian users.
- Thread starter Khushal
- Start date
cyble.com
F
ForgottenSeer 123960
Indicator of Compromise (IOCs) - Refanged
hxxp://asankhodroo[.]shop
hxxp://www[.]asan-khodro.store
hxxp://www[.]naftyar.info/naftman.apk
hxxps://naftman[.]oghabvip.ir/naftman.apk
Recommendations & Remediation (NIST SP 800-124 Focus)
Based on NIST Special Publication 800-124 Rev. 2 (Guidelines for Managing the Security of Mobile Devices), the following defenses are prioritized.
Restrict Application Sources (NIST PR.AC-3)
Disable "Install from Unknown Sources" on all Android devices. deVixor relies entirely on side-loading from third-party websites, it bypasses the Google Play Store vetting process.
User Awareness & Phishing Resistance (NIST PR.AT-1)
Users must be trained to verify URL authenticity. The typosquatting in this campaign (e.g., asan-khodro.store vs legitimate vendor domains) is a primary vector.
Permission Management (Least Privilege)
Critical Red Flag
Never grant Accessibility Services to an app unless it is a known utility for a disability. If a "vehicle" or "banking" app requests this permission, it is almost certainly malware attempting to seize control of the UI.
Behavioral Monitoring
Monitor network traffic for connections to Telegram APIs (api.telegram.org) originating from unauthorized mobile applications, as this is the primary C2 channel for deVixor.
Remediation for Infected Devices
If a device is suspected of infection by deVixor.
Disconnect
Immediately place the device in Airplane Mode to sever the Telegram C2 link.
Safe Mode Boot
Boot Android into Safe Mode to disable third-party apps.
Revoke Admin
Navigate to Settings > Security > Device Admin Apps and revoke permissions for the malicious app.
Uninstall
Remove the application.
Credential Reset
Change all banking and social media passwords used on the device from a different, clean computer.
References
MITRE ATT&CK for Mobile
Accessibility Features (T1626)
NIST SP 800-124 Rev. 2
Managing the Security of Mobile Devices
Source
Cyble Blog - DeVixor. An Evolving Android Banking RAT
hxxp://asankhodroo[.]shop
hxxp://www[.]asan-khodro.store
hxxp://www[.]naftyar.info/naftman.apk
hxxps://naftman[.]oghabvip.ir/naftman.apk
Recommendations & Remediation (NIST SP 800-124 Focus)
Based on NIST Special Publication 800-124 Rev. 2 (Guidelines for Managing the Security of Mobile Devices), the following defenses are prioritized.
Restrict Application Sources (NIST PR.AC-3)
Disable "Install from Unknown Sources" on all Android devices. deVixor relies entirely on side-loading from third-party websites, it bypasses the Google Play Store vetting process.
User Awareness & Phishing Resistance (NIST PR.AT-1)
Users must be trained to verify URL authenticity. The typosquatting in this campaign (e.g., asan-khodro.store vs legitimate vendor domains) is a primary vector.
Permission Management (Least Privilege)
Critical Red Flag
Never grant Accessibility Services to an app unless it is a known utility for a disability. If a "vehicle" or "banking" app requests this permission, it is almost certainly malware attempting to seize control of the UI.
Behavioral Monitoring
Monitor network traffic for connections to Telegram APIs (api.telegram.org) originating from unauthorized mobile applications, as this is the primary C2 channel for deVixor.
Remediation for Infected Devices
If a device is suspected of infection by deVixor.
Disconnect
Immediately place the device in Airplane Mode to sever the Telegram C2 link.
Safe Mode Boot
Boot Android into Safe Mode to disable third-party apps.
Revoke Admin
Navigate to Settings > Security > Device Admin Apps and revoke permissions for the malicious app.
Uninstall
Remove the application.
Credential Reset
Change all banking and social media passwords used on the device from a different, clean computer.
References
MITRE ATT&CK for Mobile
Accessibility Features (T1626)
NIST SP 800-124 Rev. 2
Managing the Security of Mobile Devices
Source
Cyble Blog - DeVixor. An Evolving Android Banking RAT
You may also like...
-
Iranian APT Targets Android Users With New Variants of DCHSpy Spyware- Started by Brownie2019
- Replies: 0
-
Android Users at Risk as Malware Poses as mParivahan and e-Challan Apps
- Started by Brownie2019
- Replies: 2
-
Free real estate: GoPix, the Win64 banking Trojan living off your memory- Started by Khushal
- Replies: 4
-
Frogblight threatens you with a court case: a new Android banker targets Turkish users
- Started by Khushal
- Replies: 1