| mobile |
T1437 |
Application Layer Protocol |
- |
| mobile |
T1437.001 |
Web Protocols |
Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging. |
| mobile |
T1637 |
Dynamic Resolution |
- |
| mobile |
T1637.001 |
Domain Generation Algorithms |
Rotexy procedurally generates subdomains for command and control communication. |
| mobile |
T1521 |
Encrypted Channel |
- |
| mobile |
T1521.001 |
Symmetric Cryptography |
Rotexy encrypts JSON HTTP payloads with AES. |
| mobile |
T1628 |
Hide Artifacts |
- |
| mobile |
T1628.001 |
Suppress Application Icon |
Rotexy hides its icon after first launch. |
| mobile |
T1629 |
Impair Defenses |
- |
| mobile |
T1629.002 |
Device Lockout |
Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal. |
| mobile |
T1417 |
Input Capture |
- |
| mobile |
T1417.002 |
GUI Input Capture |
Rotexy can use phishing overlays to capture users’ credit card information. |
| mobile |
T1406 |
Obfuscated Files or Information |
Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations. |
| mobile |
T1644 |
Out of Band Data |
Rotexy can be controlled through SMS messages. |
| mobile |
T1424 |
Process Discovery |
Rotexy collects information about running processes. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.003 |
Contact List |
Rotexy can access and upload the contacts list to the command and control server. |
| mobile |
T1636.004 |
SMS Messages |
Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can also send a list of all SMS messages on the device to the command and control server. |
| mobile |
T1582 |
SMS Control |
Rotexy can automatically reply to SMS messages, and optionally delete them. |
| mobile |
T1418 |
Software Discovery |
Rotexy retrieves a list of installed applications and sends it to the command and control server. |
| mobile |
T1426 |
System Information Discovery |
Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country. |
| mobile |
T1422 |
System Network Configuration Discovery |
Rotexy collects the device’s IMEI and sends it to the command and control server. |
| mobile |
T1633 |
Virtualization/Sandbox Evasion |
- |
| mobile |
T1633.001 |
System Checks |
Rotexy checks if it is running in an analysis environment. |