By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is a Keylogger -Kaspersky Daily
    12 months ago
    An Interactive Map of Online Threats
    12 months ago
    Kaspersky Uncovers New Chthonic Zeus Banking Malware
    12 months ago
    Latest News
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
    4 days ago
    Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
    5 days ago
    Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
    6 days ago
    Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    ✅How To Fix Error PS1 Can Not Be Loaded Because Running Scripts Is Disabled On This System
    12 months ago
    Windows 10 22H2 releases as a preview for testers
    12 months ago
    How to check for app updates on Windows 11
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    7 months ago
    Now you can speed up any video in your browser
    7 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    8 months ago
  • How To
    How ToShow More
    Welcome to Birthday Week 2023
    Welcome to Birthday Week 2023
    17 hours ago
    A new wave of innovation with Edge, your AI-powered browser
    2 days ago
    Curator can help you with PC Game Pass picks
    2 days ago
    Cloudflare Email Security now works with CrowdStrike Falcon LogScale
    Cloudflare Email Security now works with CrowdStrike Falcon LogScale
    4 days ago
    New! Rate Limiting analytics and throttling
    New! Rate Limiting analytics and throttling
    6 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to enable free VPN on Microsoft Edge
    4 months ago
    How to change drive label name on Windows 11
    3 months ago
    How to enable new Windows 11 mica material on Chrome
    2 months ago
    Latest News
    How to use image layers on Paint for Windows 11
    5 days ago
    How to disable Copilot on Windows 11 (completely)
    1 week ago
    How to blur image background in Photos for Windows 11
    1 week ago
    How to hide text from screenshots on Snipping Tool for Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: The Rotexy Trojan: banker and blocker
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

The Rotexy Trojan: banker and blocker

Tom Grant
Last updated: 13 October
Tom Grant 12 months ago
Share
9 Min Read

Recently the mobile malware Rotexy, a cross between a banking Trojan and a ransomware blocker, has been spreading its tentacles. Throughout August and September, our experts registered more than 40,000 attempts to implant this malicious app on Android smartphones. Having already published some technical details and biography of this beast on Securelist, here we will explore the sources of infection and how to remove it for free — using just a couple of simple SMS.

Contents
How the Rotexy banking Trojan worksRotexy the SMS thiefRotexy the banking TrojanRotexy the ransomwareHow to unblock a smartphone infected with the Rotexy TrojanHow to protect against Rotexy and other mobile Trojans

How the Rotexy banking Trojan works

Rotexy spreads through SMS containing links to app download and some catchy texts that prompt people to click those links and download the app. In some cases these messages are sent from a friend’s phone number. This is what makes people to actually click the links.

After infecting a device, the Trojan gets very busy preparing the workplace for further action. First, Rotexy checks to see what device it has landed on. It does this to hamper the work of antivirus researchers: if the malware detects that it is running in an emulator, and not on a real smartphone, all it does is cycle endlessly through the app initialization process. In the current version of Rotexy the same happens if the device seems to be outside of Russia.

Only after making sure that the device meets these basic requirements, will the Trojan begin to act. First by requesting administrator rights. Theoretically, the user can refuse to grant them, but the request will keep popping up, making it difficult to use the smartphone. Having got its wicked way, Rotexy reports that the app failed to load and hides its icon.

After this, the malware makes contact with its owners, giving them information about the device. In response, it receives instructions and a set of templates and texts. By default, Rotexy communicates directly with the C&C server, but its creators implemented other ways to send orders via Google Cloud Messaging and SMS.

Rotexy the SMS thief

On the topic of SMS, Rotexy can’t get enough of them. When a message arrives on an infected phone, the malware switches the gadget into silent mode so that the victim does not notice new incoming SMS. The Trojan then intercepts the message, checks it against the templates received from the C&C server, and if it contains anything juicy (for example, the last digits of a card number in a mobile banking SMS notification), stores and forwards it to the server. Moreover, the malware can respond to such messages on behalf of the smartphone owner: response texts are also contained in the templates for when they are required.

If for some reason no templates or special instructions were received from the C&C server, Rotexy simply saves all correspondence on the infected smartphone, and then forwards it to its masters.

On top of that, on the cybercriminals’ command, the malware can send a link to download itself to all contacts in the phone book — which is one of the main vectors of propagation for Rotexy Trojan.

Rotexy the banking Trojan

SMS manipulation is not the only trick up the malware’s sleeve, and not even its main one. That would be making money for its creators, primarily through stealing bank card data. To do so, it overlays a phishing page on the screen with text received along with the SMS interception instructions. The look of the page can vary, but the general purpose is to tell the smartphone owner that a money transfer is waiting for him and they should enter card details to receive it.

To make it doubly sure, the malware creators built in a check to validate the card number. First, it verifies that the card number is correct (in case you didn’t know, the digits in card numbers are not random, but created according to certain rules). Next, Rotexy extracts the last four digits of the card number from the intercepted banking SMS and matches them against the ones entered on the phishing page. If something doesn’t add up, the malware returns an error and prompts user to enter the correct card number.

Rotexy the ransomware

Sometimes Rotexy receives other instructions from the C&C server and acts out a different scenario. Instead of displaying a phishing page, it blocks the smartphone screen with a menacing window demanding payment of a fine for “regular viewing of prohibited videos.”

Rotexy imitates update installation, and after that blocks the smartphone screen with demand to pay a fine for

Rotexy imitates update installation, and after that blocks the smartphone screen with demand to pay a fine for “regular viewing of prohibited videos.”

Photographic “evidence” is attached in the form of an image of a pornographic clip. As is often the case with mobile ransomware, the cybercriminals pretend to be from some official body. Rotexy in particular mentions “FSB Internet Control” (incidentally, there is no such unit by that name in Russia).

How to unblock a smartphone infected with the Rotexy Trojan

The good news is that it is possible to unblock an infected smartphone and get rid of the “virus” without the need for specialist help. As mentioned above, Rotexy can receive commands via SMS. The beauty lies in the fact that they do not need to be sent from a specific number, any will do. That means that if your smartphone is blocked and you cannot close the malicious window, all you need is another phone (a friend’s or relative’s, for example) and our small instruction:

  • Send an SMS to your number with the text “393838.” The malware will interpret this as an order to change the address of the C&C server to empty, and will cease to obey the cybercriminals.
  • Then text “3458” to your number — this will deprive the Trojan of administrator rights and break its stranglehold on your device.
  • Lastly, send an SMS to your phone with the text “stop_blocker”: This command will force Rotexy to remove the site or banner blocking the screen.
  • If after that, the Trojan again starts pestering you for administrator rights, restart the device in safe mode (see here how to do it), go to Application Manager or Applications and Notifications (different versions of Android arrange the settings in their own way), and delete the malware from the device — this time without resistance. That’s it!

Note that the instructions for unblocking a smartphone are based on an analysis of the current version of Rotexy; things may be different in future versions. More technical details about the Trojan are available in report published on Securelist.

How to protect against Rotexy and other mobile Trojans

Before signing off, we should mention that you will waste less time and fray fewer nerves by simply stopping the malware from getting onto your smartphone in the first place. Avoiding infection is not difficult, the main thing being to follow a few simple rules:

  • Don’t click on suspicious links in messages. Even if you’re curious, and the SMS seems to be from a friend, check first whether he or she really did send something.
  • Download Android apps only from Google Play. It’s a good idea to block the installation of programs from unknown sources in the smartphone settings.
  • Use a reliable mobile antivirus that will protect you against malware even if you accidentally click or tap something you shouldn’t.

Source: kaspersky.com

Translate this article

TAGGED: Google Play, Malware, Phishing, PoC, RC4, Threats, Trojan
Tom Grant October 13, 2022 October 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Welcome to Birthday Week 2023
Welcome to Birthday Week 2023
Apps 17 hours ago
A new wave of innovation with Edge, your AI-powered browser
Windows 2 days ago
Curator can help you with PC Game Pass picks
Windows 2 days ago
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Apps 4 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordpress Threats 4 days ago

You Might Also Like

Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Apps

Cloudflare Email Security now works with CrowdStrike Falcon LogScale

4 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)

4 days ago
Threats

Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog

5 days ago
Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
Wordpress Threats

Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks

6 days ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
Critical Vulnerability in Forminator Plugin
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
PHP Object Injection Vulnerability in Flatsome Theme
How to download Windows 11 22H2 ISO after 23H2 releases
Previous Next

10 New Stories

Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
How to use image layers on Paint for Windows 11
New! Rate Limiting analytics and throttling
Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion
Privilege Escalation Vulnerability in Essential Addons for Elementor
Previous Next
Hot News
Welcome to Birthday Week 2023
A new wave of innovation with Edge, your AI-powered browser
Curator can help you with PC Game Pass picks
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?