Wednesday, January 15, 2025
HomeAndroidPowerful Mobile Malware Rotexy Launched over 70,000 Attacks with Banking Trojan &...

Powerful Mobile Malware Rotexy Launched over 70,000 Attacks with Banking Trojan & Ransomware Modules

Published on

A new Mobile malware family called Rotexy, launched over 7000 attacks in wide within 3 months of the period from August to October 2018. It evolved from an SMS based spyware that was active in 2014.

Rotexy malware evaluation was at a peak in 2014 & 2015 and it mainly using the phishing links in order to compromise the users that prompt to install the malicious apps.

It uses the Google Cloud Messaging (GCM) service,  malicious C&C server, and incoming SMS messages to reach the victim’s devices.

The main function of this mobile malware is the banking Trojan and ransomware which is distributed in name of AvitoPay.apk.

It using the various download from various malicious websites including youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc

Rotexy mobile malware keeps requesting the mobile administrative privilege even users restart the mobile in safe mode even the malicious program will be removed.

Rotexy mainly targeting Russian user’s, up to 98% of its infection in Russia and it also infecting users in Ukraine, Germany, Turkey, and several other countries.

Mobile Malware Rotexy Infection Process

Initially, once an infection starts, the malware checks the device whether any sandbox environment being detected and which country is the victims belonged.

Once it successfully finished all the checks then the Rotexy registers with GCM and launches SuperService that help to check the devices admin privileges which keep performing each and every second.

Later it displays the application request, requesting root  privileges through an infinite loop to force users to agree and provide the privilege.

According to securelist, “If the Trojan detects an attempt to revoke its administrator privileges, it starts periodically switching off the phone screen, trying to stop the user actions. If the privileges are revoked successfully, the Trojan relaunches the cycle of requesting administrator privileges.”

During the background process of Rotexy in the targeted phone, it can able to switching on and rebooting of the phone, termination of its operation, sending of an SMS by the app – in this case, the phone is switched to silent mode.

Later the malware using local SQLite database, to store the data that harvested from infected mobile and an information about C&C servers.

“Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C&C. Also, when an SMS arrives, the Trojan puts the phone into silent mode and switches off the screen so the user doesn’t notice that a new SMS has arrived. When required, the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message.”

If it doesn’t receive any instruction about rules to process the incoming Messages then it simply stores all the SMS  in local DB and uploads it into the C&C server.

Follow commands are used by this malware to perform a various action.

  • START, STOP, RESTART — start, stop, restart SuperService.
  • URL — update C&C address.
  • MESSAGE – send SMS containing specified text to a specified number.
  • UPDATE_PATTERNS – reregister in the administration panel.
  • UNBLOCK – unblock the telephone (revoke device administrator privileges from the app).
  • UPDATE – download APK file from C&C and install it. This command can be used not just to update the app but to install any other software on the infected device.
  • CONTACTS – send text received from C&C to all user contacts. This is most probably how the application spreads.
  • CONTACTS_PRO – request unique message text for contacts from the address book.
  • PAGE – contact URL received from C&C using User-Agent value that was also received from C&C or local database.
  • ALLMSG – send C&C all SMSs received and sent by user, as stored in phone memory.
  • ALLCONTACTS – send all contacts from phone memory to C&C.
  • ONLINE – send information about Trojan’s current status to C&C: whether it has device administrator privileges, which HTML page is currently displayed, whether screen is on or off, etc.
  • NEWMSG – write an SMS to the device memory containing the text and sender number sent from C&C.
  • CHANGE_GCM_ID – change GSM ID.
  • BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details.
  • BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware.
  • BLOCKER_UPDATE_START – display fake HTML page for update.
  • BLOCKER_STOP – block display of all HTML pages.

Also, The Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This page mimics a legitimate bank form and blocks the device screen until the user enters all the information. It even has its own virtual keyboard that supposedly protects the victim from keyloggers.

This trojan force users to enter only right credentials and it checks all the details against the data that it already received. Once the victim entered all the data then it checks the originality of the data and uploaded into C&C server.

IOCs

SHA256
0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7
4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96
76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b
7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386
9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba
ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7
b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b
ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84
ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c
e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can check the Vulnerability Management Analysis to keep your self-updated.

Related Read

Hackers Offering DDoS-for-Hire Service Powered by Bushido Botnet in Dark Web Markets

Chalubo Botnet Compromise Your Server or IoT Device & Use it for DDOS Attack

Torii Botnet – A New Sophisticated IoT Botnet Attack in Wide – More Powerful Than Mirai

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...