Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.[1]

ID: S0411
Type: MALWARE
Platforms: Android
Version: 1.0

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Rotexy can access and upload the contacts list to the command and control server.[1]

Mobile T1438 Alternate Network Mediums

Rotexy can be controlled through SMS messages.[1]

Mobile T1418 Application Discovery

Rotexy retrieves a list of installed applications and sends it to the command and control server.[1]

Mobile T1412 Capture SMS Messages

Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can automatically reply to SMS messages, and optionally delete them. Rotexy can also send a list of all SMS messages on the device to the command and control server.[1]

Mobile T1476 Deliver Malicious App via Other Means

Rotexy is distributed through phishing links sent in SMS messages as AvitoPay.apk.[1]

Mobile T1446 Device Lockout

Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.[1]

Mobile T1520 Domain Generation Algorithms

Rotexy procedurally generates subdomains for command and control communication.[1]

Mobile T1523 Evade Analysis Environment

Rotexy checks if it is running in an analysis environment. [1]

Mobile T1411 Input Prompt

Rotexy can use phishing overlays to capture users' credit card information.[1]

Mobile T1406 Obfuscated Files or Information

Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.[1]

Mobile T1424 Process Discovery

Rotexy collects information about running processes.[1]

Mobile T1437 Standard Application Layer Protocol

Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.[1]

Mobile T1521 Standard Cryptographic Protocol

Rotexy encrypts JSON HTTP payloads with AES. [1]

Mobile T1508 Suppress Application Icon

Rotexy hides its icon after first launch.[1]

Mobile T1426 System Information Discovery

Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.[1]

Mobile T1422 System Network Configuration Discovery

Rotexy collects the device's IMEI and sends it to the command and control server.[1]

References