By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    CryptoLocker is Bad News
    8 months ago
    Debunking the myths of malware and antivirus programs
    8 months ago
    Security Week 38: Cisco routers under attack, bug in AirDrop, CoinVault cryptohawkers aressted
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    2 days ago
    Safeguards against firmware signed with stolen MSI keys
    4 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro 4 teardown: Get a closer look at the components
    8 months ago
    How to reset Windows Update components on Windows 10
    8 months ago
    Windows 11 build 22610 with new changes in Dev and Beta Channels
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    1 day ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    2 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    2 days ago
    What is two-factor authentication | Kaspersky official blog
    5 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    7 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to clear and disable activity history on Windows 11
    3 months ago
    How to change new Outlook app theme on Windows 11
    2 months ago
    How to enable Hibernate on Windows 11
    1 month ago
    Latest News
    How to add CPU, GPU, RAM widgets on Windows 11
    2 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    5 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    5 days ago
    How to check USB4 devices specs from Settings on Windows 11
    5 days ago
  • Glossary
  • My Bookmarks
Reading: The Rotexy Trojan: banker and blocker
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Threats

The Rotexy Trojan: banker and blocker

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
9 Min Read

Recently the mobile malware Rotexy, a cross between a banking Trojan and a ransomware blocker, has been spreading its tentacles. Throughout August and September, our experts registered more than 40,000 attempts to implant this malicious app on Android smartphones. Having already published some technical details and biography of this beast on Securelist, here we will explore the sources of infection and how to remove it for free — using just a couple of simple SMS.

Contents
How the Rotexy banking Trojan worksRotexy the SMS thiefRotexy the banking TrojanRotexy the ransomwareHow to unblock a smartphone infected with the Rotexy TrojanHow to protect against Rotexy and other mobile Trojans

How the Rotexy banking Trojan works

Rotexy spreads through SMS containing links to app download and some catchy texts that prompt people to click those links and download the app. In some cases these messages are sent from a friend’s phone number. This is what makes people to actually click the links.

After infecting a device, the Trojan gets very busy preparing the workplace for further action. First, Rotexy checks to see what device it has landed on. It does this to hamper the work of antivirus researchers: if the malware detects that it is running in an emulator, and not on a real smartphone, all it does is cycle endlessly through the app initialization process. In the current version of Rotexy the same happens if the device seems to be outside of Russia.

Only after making sure that the device meets these basic requirements, will the Trojan begin to act. First by requesting administrator rights. Theoretically, the user can refuse to grant them, but the request will keep popping up, making it difficult to use the smartphone. Having got its wicked way, Rotexy reports that the app failed to load and hides its icon.

After this, the malware makes contact with its owners, giving them information about the device. In response, it receives instructions and a set of templates and texts. By default, Rotexy communicates directly with the C&C server, but its creators implemented other ways to send orders via Google Cloud Messaging and SMS.

Rotexy the SMS thief

On the topic of SMS, Rotexy can’t get enough of them. When a message arrives on an infected phone, the malware switches the gadget into silent mode so that the victim does not notice new incoming SMS. The Trojan then intercepts the message, checks it against the templates received from the C&C server, and if it contains anything juicy (for example, the last digits of a card number in a mobile banking SMS notification), stores and forwards it to the server. Moreover, the malware can respond to such messages on behalf of the smartphone owner: response texts are also contained in the templates for when they are required.

If for some reason no templates or special instructions were received from the C&C server, Rotexy simply saves all correspondence on the infected smartphone, and then forwards it to its masters.

On top of that, on the cybercriminals’ command, the malware can send a link to download itself to all contacts in the phone book — which is one of the main vectors of propagation for Rotexy Trojan.

Rotexy the banking Trojan

SMS manipulation is not the only trick up the malware’s sleeve, and not even its main one. That would be making money for its creators, primarily through stealing bank card data. To do so, it overlays a phishing page on the screen with text received along with the SMS interception instructions. The look of the page can vary, but the general purpose is to tell the smartphone owner that a money transfer is waiting for him and they should enter card details to receive it.

To make it doubly sure, the malware creators built in a check to validate the card number. First, it verifies that the card number is correct (in case you didn’t know, the digits in card numbers are not random, but created according to certain rules). Next, Rotexy extracts the last four digits of the card number from the intercepted banking SMS and matches them against the ones entered on the phishing page. If something doesn’t add up, the malware returns an error and prompts user to enter the correct card number.

Rotexy the ransomware

Sometimes Rotexy receives other instructions from the C&C server and acts out a different scenario. Instead of displaying a phishing page, it blocks the smartphone screen with a menacing window demanding payment of a fine for “regular viewing of prohibited videos.”

Rotexy imitates update installation, and after that blocks the smartphone screen with demand to pay a fine for

Rotexy imitates update installation, and after that blocks the smartphone screen with demand to pay a fine for “regular viewing of prohibited videos.”

Photographic “evidence” is attached in the form of an image of a pornographic clip. As is often the case with mobile ransomware, the cybercriminals pretend to be from some official body. Rotexy in particular mentions “FSB Internet Control” (incidentally, there is no such unit by that name in Russia).

How to unblock a smartphone infected with the Rotexy Trojan

The good news is that it is possible to unblock an infected smartphone and get rid of the “virus” without the need for specialist help. As mentioned above, Rotexy can receive commands via SMS. The beauty lies in the fact that they do not need to be sent from a specific number, any will do. That means that if your smartphone is blocked and you cannot close the malicious window, all you need is another phone (a friend’s or relative’s, for example) and our small instruction:

  • Send an SMS to your number with the text “393838.” The malware will interpret this as an order to change the address of the C&C server to empty, and will cease to obey the cybercriminals.
  • Then text “3458” to your number — this will deprive the Trojan of administrator rights and break its stranglehold on your device.
  • Lastly, send an SMS to your phone with the text “stop_blocker”: This command will force Rotexy to remove the site or banner blocking the screen.
  • If after that, the Trojan again starts pestering you for administrator rights, restart the device in safe mode (see here how to do it), go to Application Manager or Applications and Notifications (different versions of Android arrange the settings in their own way), and delete the malware from the device — this time without resistance. That’s it!

Note that the instructions for unblocking a smartphone are based on an analysis of the current version of Rotexy; things may be different in future versions. More technical details about the Trojan are available in report published on Securelist.

How to protect against Rotexy and other mobile Trojans

Before signing off, we should mention that you will waste less time and fray fewer nerves by simply stopping the malware from getting onto your smartphone in the first place. Avoiding infection is not difficult, the main thing being to follow a few simple rules:

  • Don’t click on suspicious links in messages. Even if you’re curious, and the SMS seems to be from a friend, check first whether he or she really did send something.
  • Download Android apps only from Google Play. It’s a good idea to block the installation of programs from unknown sources in the smartphone settings.
  • Use a reliable mobile antivirus that will protect you against malware even if you accidentally click or tap something you shouldn’t.

Source: kaspersky.com

Translate this article

TAGGED: Google Play, Malware, Phishing, PoC, RC4, Threats, Trojan
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 1 day ago
How to add CPU, GPU, RAM widgets on Windows 11
News 2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Reduce latency and increase cache hits with Regional Tiered Cache
Apps 2 days ago
Cloudflare is deprecating Railgun
Cloudflare is deprecating Railgun
Apps 2 days ago
Triangulation: Trojan for iOS | Kaspersky official blog
Threats 2 days ago

Recent Posts

  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11
  • Reduce latency and increase cache hits with Regional Tiered Cache
  • Cloudflare is deprecating Railgun
  • Triangulation: Trojan for iOS | Kaspersky official blog

You Might Also Like

Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

1 day ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

2 days ago
Threats

Triangulation: Trojan for iOS | Kaspersky official blog

2 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
Previous Next
Hot News
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?