A recent security report revealed a Banking Trojan from the Rotexy Malware family that casted over 70,000 attacks in a period of three months. The attack of Rotexy Mobile Trojan primarily targeted the users in Russia & is continuously spreading its tentacles to carry out its pernicious motives.
This new Rotexy Mobile Trojan is a blend of a Banking Mobile Trojan & a Ransomware Blocker that makes Rotexy a daunting threat. The security experts registered over 40,000 devious attempts of this Banking Trojan throughout the months of August & September. The baleful Trojan aimed at implanting a malicious app on Android smart phones.
Team Kaspersky carried out an in-depth analysis to track the evolution of this Banking Trojan & made a conclusion that Rotexy Mobile Trojan evolved from a SMS Mobile Spyware that was first reported in October 2014. It was detected as Mobile Trojan- Spy.AndroidOS.SmsThief & has continuously evolved since then as new malicious features were added to it.
Rotexy Malware has proven to be highly versatile since its early releases & its main motive and distribution methods remained unchanged.
The key feature that makes Rotexy Malware stand out of the crowd of Trojans is the use of three distinct communication mediums to receive commands.
This modern version of Rotexy has targeted the users located in Russia, Ukraine, Germany & Turkey. Two renowned Malware analysts have documented evolution & key developments of Rotexy. One such surprising key development includes AES encryption that Rotexy uses to exchange data between the targeted device & malicious C&C Server.
Rotexy Mobile Trojan spreads through phishing links & alluring texts sent via SMS that sparks off the users to click on links & download the app in their Android devices.
This malevolent version of Rotexy is spreading under the name AvitoPay.apk (or other similar names) & downloaded from vicious sites like prodamfkz.ml, avitoe0ys.tk, prodam8n9.tk and youla9d6h.tk.
The websites are name in accordance with some algorithm definitions. First few letters depict the names of renowned classified ad services, followed by an arbitrary set of characters & concluded with two letters of an elite domain.
Following the infection of smart phones, the Banking Trojan begins to prepare grounds for further action.
Initially, Rotexy Mobile Trojan entirely examines the device it has landed on & checks if it is running on an emulator. In case the malware has landed in an emulated environment & not on a real smart phone, it cycles the app initialization process endlessly.
However, if Rotexy Malware has landed on a real system in Russia, it registers with GCM services & scans if it has admin privileges. The malware gets combative if it is unable to run with elevated permissions & uses exasperating tactics to ascertain the user grants it the administrative rights.
Any attempt to revoke the admin rights end with the periodic turning off the Android phone’s screen, which clearly indicates Trojan’s endeavor to halt user’s action. In case user succeeds in revoking the admin rights, the Banking Trojan relaunches its intimidation tactics.
Rotexy establishes a connection with its malicious C&C and sends IMEI of the infected device to the hacker controlled server, which allows the criminal operators to spy on the infected users in real-time. The analysis shows how phone number, list of contacts, phone model, name of mobile network operator & versions of OS are forwarded to the hackers in real-time.
When a new message is received on an infected device, Rotexy puts the gadget in a silent mode & turns off the screen in order to avoid any disruption from the user. Rotexy is also capable of intercepting all the incoming messages & process them according to the templates received from C&C
The late 2016 showed that the Trojan aimed at stealing banking data via phishing pages. The developers smartly added an HTML page that impersonated a login form for an authorized bank & locked the screen of targeted device till the user entered the required information.
The hackers entice the victims by compelling them to think that they have received a money transfer. Victims are requested to enter their bank card details so that the amount can be transferred to respective account. As soon as the details are provided by user, they are sent to the hackers.
In order to make fraud believable, a virtual keyboard has been included purportedly that offers protections against key-logging apps.
Some of the samples show that the Trojan freezes the phone’s screen & coerce the users to pay a ransom for viewing prohibited videos. It shows an extortionist HTML pages that include provoking images & freezes the screen.
The Admin Rights can be revoked by sending “3458” to the infected device, followed by sending “stop_blocker” to the same number.
The Rotexy Mobile Trojan may start reiterating the request for admin privileges; however, the problem will disappear once the Trojan is ousted from the system.
The infected users may restart the device in safe mode & delete the malware from the device immediately.
Researchers claim that the C&C instructions will work on the current version of Rotexy & there are odds that the instructions may not be efficient with the future releases.
Hits: 171
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.