Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.
|Mobile||T1432||Access Contact List|
|Mobile||T1438||Alternate Network Mediums|
|Mobile||T1412||Capture SMS Messages||
Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can automatically reply to SMS messages, and optionally delete them. Rotexy can also send a list of all SMS messages on the device to the command and control server.
|Mobile||T1476||Deliver Malicious App via Other Means|
Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.
|Mobile||T1520||Domain Generation Algorithms|
|Mobile||T1523||Evade Analysis Environment|
|Mobile||T1406||Obfuscated Files or Information|
|Mobile||T1437||Standard Application Layer Protocol|
|Mobile||T1521||Standard Cryptographic Protocol|
|Mobile||T1508||Suppress Application Icon|
|Mobile||T1426||System Information Discovery|
|Mobile||T1422||System Network Configuration Discovery|