Rotexy Mobile Trojan
Trojan | 11/24/2018

How to Get Rid of Rotexy Mobile Trojan?

About: Security researchers recently discovered a new member of Rotexy family that has casted attacks on over 70,000 Android devices in Russia, Germany, Ukraine & nearby countries. The Rotexy Banking Trojan uses three distinct communication channels to rece...  Read More  

| Trojan | How to Get Rid of Rotexy Mobile Trojan?

Guide to Remove Rotexy Mobile Trojan

A recent security report revealed a Banking Trojan from the Rotexy Malware family that casted over 70,000 attacks in a period of three months. The attack of Rotexy Mobile Trojan primarily targeted the users in Russia & is continuously spreading its tentacles to carry out its pernicious motives.


This new Rotexy Mobile Trojan is a blend of a Banking Mobile Trojan & a Ransomware Blocker that makes Rotexy a daunting threat. The security experts registered over 40,000 devious attempts of this Banking Trojan throughout the months of August & September. The baleful Trojan aimed at implanting a malicious app on Android smart phones.

Rotexy Mobile Trojan Temp4


Team Kaspersky carried out an in-depth analysis to track the evolution of this Banking Trojan & made a conclusion that Rotexy Mobile Trojan evolved from a SMS Mobile Spyware that was first reported in October 2014.  It was detected as Mobile Trojan- Spy.AndroidOS.SmsThief & has continuously evolved since then as new malicious features were added to it.


Rotexy Malware has proven to be highly versatile since its early releases & its main motive and distribution methods remained unchanged.

Working of Rotexy Mobile Trojan

The key feature that makes Rotexy Malware stand out of the crowd of Trojans is the use of three distinct communication mediums to receive commands.

  1. Researchers revealed that this Banking Trojan is capable of getting instructions from the Google Cloud Messaging services that conveys message to android devices in JSON format.
  2. Another method used by Rotexy Mobile Trojan to give commands to the compromised target is the use of a malicious Command and Control (C&C) server.
  3. Third method used by Mobile Trojan is the use of SMS that allows operator to direct the actions of malware by sending text messages to the infected Android device.

This modern version of Rotexy has targeted the users located in Russia, Ukraine, Germany & Turkey. Two renowned Malware analysts have documented evolution & key developments of Rotexy. One such surprising key development includes AES encryption that Rotexy uses to exchange data between the targeted device & malicious C&C Server.

Spreading Techniques

Rotexy Mobile Trojan spreads through phishing links & alluring texts sent via SMS that sparks off the users to click on links & download the app in their Android devices.


This malevolent version of Rotexy is spreading under the name AvitoPay.apk (or other similar names) & downloaded from vicious sites like,, and

Rotexy Mobile Trojan Temp5

The websites are name in accordance with some algorithm definitions. First few letters depict the names of renowned classified ad services, followed by an arbitrary set of characters & concluded with two letters of an elite domain.

Pugnacious Request for Admin Rights

 Following the infection of smart phones, the Banking Trojan begins to prepare grounds for further action.


Initially, Rotexy Mobile Trojan entirely examines the device it has landed on & checks if it is running on an emulator. In case the malware has landed in an emulated environment & not on a real smart phone, it cycles the app initialization process endlessly.

Rotexy Mobile Trojan Temp3

However, if Rotexy Malware has landed on a real system in Russia, it registers with GCM services & scans if it has admin privileges. The malware gets combative if it is unable to run with elevated permissions & uses exasperating tactics to ascertain the user grants it the administrative rights.


Any attempt to revoke the admin rights end with the periodic turning off the Android phone’s screen, which clearly indicates Trojan’s endeavor to halt user’s action.  In case user succeeds in revoking the admin rights, the Banking Trojan relaunches its intimidation tactics.

Other Capabilities of Rotexy Mobile Trojan

Rotexy establishes a connection with its malicious C&C and sends IMEI of the infected device to the hacker controlled server, which allows the criminal operators to spy on the infected users in real-time. The analysis shows how phone number, list of contacts, phone model, name of mobile network operator & versions of OS are forwarded to the hackers in real-time.


When a new message is received on an infected device, Rotexy puts the gadget in a silent mode & turns off the screen in order to avoid any disruption from the user. Rotexy is also capable of intercepting all the incoming messages & process them according to the templates received from C&C

Banking Trojan Behavior

The late 2016 showed that the Trojan aimed at stealing banking data via phishing pages. The developers smartly added an HTML page that impersonated a login form for an authorized bank & locked the screen of targeted device till the user entered the required information.



Rotexy Mobile Trojan Temp6

The hackers entice the victims by compelling them to think that they have received a money transfer. Victims are requested to enter their bank card details so that the amount can be transferred to respective account. As soon as the details are provided by user, they are sent to the hackers.


In order to make fraud believable, a virtual keyboard has been included purportedly that offers protections against key-logging apps.

The Ransomware Behavior

Some of the samples show that the Trojan freezes the phone’s screen & coerce the users to pay a ransom for viewing prohibited videos. It shows an extortionist HTML pages that include provoking images & freezes the screen.

Rotexy Mobile Trojan Temp2

Unblocking the Infected Phone

The Admin Rights can be revoked by sending “3458” to the infected device, followed by sending “stop_blocker” to the same number.


The Rotexy Mobile Trojan may start reiterating the request for admin privileges; however, the problem will disappear once the Trojan is ousted from the system.


The infected users may restart the device in safe mode & delete the malware from the device immediately.


  • Avoid clicking on suspicious links in SMSs.
  • Download apps from official App Store only.
  • Use a reliable & trusted anti-virus for your device.


Researchers claim that the C&C instructions will work on the current version of Rotexy & there are odds that the instructions may not be efficient with the future releases.

Hits: 182

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866