Mobile Malware Rotexy, which a hybrid of a ransomware blocker and banking trojan is expanding its limbs. In August and September, some of the specialists recorded over 40,000 trials to embed this malicious app on Android smartphones. Though some of the technical information and other details are known to the world, we will talk about the infection in details along with the solution to get rid of it for free.
So, let’s get started!
How Does Rotexy Banking Trojan Work?
Rotexy uses SMS including downloading link of an app with appealing text which urges people to click the links and download the app. If the SMS sent comes from an unknown number, it gets ignored, however, when you receive such SMS from a friend’s number, that’s when people click on the link.
Once the device gets infected, the Trojan starts preparing the structure for the next step. Rotexy first identifies what device has been infected, so that it could impede the work of antivirus researchers. If the malware identifies that it is working in an emulator, then it cycles through the app initialization process repeatedly.
Before the trojan starts to work, it inspects whether the device suffices basic requirements. Once done, it asks for administrator rights. Probably user will not give permission, however, the pop-ups will come up repeatedly and user will not be able to use the device. Once the permission is granted, Rotexy will notify that the app has not loaded and hides the icon.
Next step, the malware contacts its owners and provides them with information about the smartphone. In return, it gets instructions along with a collection of texts and templates. Rotexy reaches to the C&C server, however, the hackers have come up with other ways to send instructions such as via SMS or Google Cloud Messaging.
Rotexy the SMS Thief
Whenever a message is received on an infected smartphone. Malware turns on the silent mode on the device so that the victim could not listen to the incoming SMS notification chime. Once a message is received, it intercepts the SMS and compares it with the templates received from the C&C server. If anything, interesting such as last digits of a card number from a banking notification is found, then it keeps it and sends it to the server. Also, the malware can intercept and replies to such messages: templates sent by malware owners have acknowledgement texts for when they are needed.
In case, there is no template or order received, then Rotexy saves all communication on the victim’s device and sends it across to the bosses. Also, if cybercriminals want, the malware can forward a link to download to all the contacts in the phone book.
Also Read : Insider Information On Trojan Horse
Rotexy – Banking Trojan
Primarily, the malware steals bank card data to provide maximum profit to its owners. For that, it superimposes a phishing webpage on the screen with text received with the SMS interposing orders. The interface and look of the page could be different every time but the main aim is to inform the owner of the smartphone that a money transfer is waiting for him and he needs to give card details to get it.
Also, to make it look genuine, the malware developers have a check in the way to verify the card number. It validates that the user is punching in the correct card number. After that, Rotexy elicits the last four digits of the card number from the banking SMS that it stored and compares it with the ones that the user entered on phishing page.
In case it didn’t match, then malware shows an error and asks the user to enter correct card details.
Rotexy: Ransomware
There can be another way in which Rotexy behave. Well, it depends on the instruction that it receives from the C&C server. Rather than showing phishing page, it could block your smartphone’s screen with a threatening window asking the user to pay fine for “regular viewing of prohibited videos.”
It also shows the Photographic “evidence” which is a pornographic clip. The cybercriminals act as an official organisation, Rotexy mostly uses, “FSB Internet Control”.
How To Get Rid Of Rotexy Trojan?
After reading all of the above that Rotexy can do, you must be thinking how we could get rid of it. Hopefully, you can! You can unblock your infected smartphone. As it is mentioned that Rotexy gets orders through SMS. So, the SMS doesn’t have to come from any specific number, any phone number or device could send it.
So, if your phone is blocked, then you just need someone’s phone and send an instruction. You need to send an SMS to your number with “393838” text.
This SMS means that it is an order for malware to change the address of C& C server to empty & also, it will stop obeying cybercriminals.
Then again, send a text containing “3458” to your number- this will stop Trojan from accessing your device using admin rights and therefore, the trojan will no longer have a hold on your device.
The third SMS would be a text “stop_blocker”: This instruction will push Rotexy to remove the site or banner blocking the screen.
After following these instructions, if Trojan starts acting again and asks for your device’s admin rights, then restart your smartphone in safe mode. Once the device restarts, go to Applications & Notifications or App manager & remove the malware from your device.
Note: This method works on the current version of Rotexy, however, it might not work with the future versions.
Must Read : TeleRAT: A New Trojan Horse That Steals Your Data
Instructions To Prevent Rotexy & Other Trojans From Infecting Your Device:
Above mentioned process is quite cumbersome and could be risky as well. Well if you stay alert and take care of a few things, you might not ghave to face it altogether.
Never click on suspicious links, not even if promises to give 1 million dollars.
Download apps only from Google Play.
Always install trustworthy mobile antivirus on your phone to keep it protected always.
So, no matter what version of Android you are working on or what software you have installed, a click on a suspicious link and your device, your banking details, everything will be stolen. Beware and always stay alert!
Leave a Reply