Rotexy malware evaluation was at a peak in 2014 & 2015 and it mainly using the phishing links in order to compromise the users that prompt to install the malicious apps.
It uses the Google Cloud Messaging (GCM) service, malicious C&C server, and incoming SMS messages to reach the victim’s devices.
The main function of this mobile malware is the banking Trojan and ransomware which is distributed in name of AvitoPay.apk.
It using the various download from various malicious websites including youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc
Rotexy mobile malware keeps requesting the mobile administrative privilege even users restart the mobile in safe mode even the malicious program will be removed.
Rotexy mainly targeting Russian user’s, up to 98% of its infection in Russia and it also infecting users in Ukraine, Germany, Turkey, and several other countries.
Mobile Malware Rotexy Infection Process
Initially, once an infection starts, the malware checks the device whether any sandbox environment being detected and which country is the victims belonged.
Once it successfully finished all the checks then the Rotexy registers with GCM and launches SuperService that help to check the devices admin privileges which keep performing each and every second.
Later it displays the application request, requesting root privileges through an infinite loop to force users to agree and provide the privilege.
According to securelist, “If the Trojan detects an attempt to revoke its administrator privileges, it starts periodically switching off the phone screen, trying to stop the user actions. If the privileges are revoked successfully, the Trojan relaunches the cycle of requesting administrator privileges.”
During the background process of Rotexy in the targeted phone, it can able to switching on and rebooting of the phone, termination of its operation, sending of an SMS by the app – in this case, the phone is switched to silent mode.
Later the malware using local SQLite database, to store the data that harvested from infected mobile and an information about C&C servers.
“Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C&C. Also, when an SMS arrives, the Trojan puts the phone into silent mode and switches off the screen so the user doesn’t notice that a new SMS has arrived. When required, the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message.”
If it doesn’t receive any instruction about rules to process the incoming Messages then it simply stores all the SMS in local DB and uploads it into the C&C server.
Follow commands are used by this malware to perform a various action.
- START, STOP, RESTART — start, stop, restart SuperService.
- URL — update C&C address.
- MESSAGE – send SMS containing specified text to a specified number.
- UPDATE_PATTERNS – reregister in the administration panel.
- UNBLOCK – unblock the telephone (revoke device administrator privileges from the app).
- UPDATE – download APK file from C&C and install it. This command can be used not just to update the app but to install any other software on the infected device.
- CONTACTS – send text received from C&C to all user contacts. This is most probably how the application spreads.
- CONTACTS_PRO – request unique message text for contacts from the address book.
- PAGE – contact URL received from C&C using User-Agent value that was also received from C&C or local database.
- ALLMSG – send C&C all SMSs received and sent by user, as stored in phone memory.
- ALLCONTACTS – send all contacts from phone memory to C&C.
- ONLINE – send information about Trojan’s current status to C&C: whether it has device administrator privileges, which HTML page is currently displayed, whether screen is on or off, etc.
- NEWMSG – write an SMS to the device memory containing the text and sender number sent from C&C.
- CHANGE_GCM_ID – change GSM ID.
- BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details.
- BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware.
- BLOCKER_UPDATE_START – display fake HTML page for update.
- BLOCKER_STOP – block display of all HTML pages.
Also, The Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This page mimics a legitimate bank form and blocks the device screen until the user enters all the information. It even has its own virtual keyboard that supposedly protects the victim from keyloggers.
This trojan force users to enter only right credentials and it checks all the details against the data that it already received. Once the victim entered all the data then it checks the originality of the data and uploaded into C&C server.