The Rotexy mobile Trojan – banker and ransomware

[harlan4096]

On the back of a surge in Trojan activity, we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub. One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family. In a three-month period from August to October 2018, it launched over 70,000 attacks against users located primarily in Russia.

An interesting feature of this family of banking Trojans is the simultaneous use of three command sources:

• Google Cloud Messaging (GCM) service – used to send small messages in JSON format to a mobile device via Google servers;
  
• malicious C&C server;
  
• incoming SMS messages.
  

This ‘versatility’ was present in the first version of Rotexy and has been a feature of all the family’s subsequent representatives. During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014. Back then it was detected as Trojan-Spy.AndroidOS.SmsThief, but later versions were assigned to another family ­– Trojan-Banker.AndroidOS.Rotexy.

The modern version of Rotexy combines the functions of a banking Trojan and ransomware. It spreads under the name AvitoPay.apk (or similar) and downloads from websites with names like youla9d6h.tk, prodam8n9.tk, prodamfkz.ml, avitoe0ys.tk, etc. These website names are generated according to a clear algorithm: the first few letters are suggestive of popular classified ad services, followed by a random string of characters, followed by a two-letter top-level domain. But before we go into the details of what the latest version of Rotexy can do and why it’s distinctive, we would like to give a summary of the path the Trojan has taken since 2014 up to the present day.

Full reading: https://securelist.com/the-rotexy-mobile...are/88893/