Skip to content

S0411 Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.1

Item Value
ID S0411
Associated Names
Version 1.1
Created 23 September 2019
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.1
mobile T1637 Dynamic Resolution -
mobile T1637.001 Domain Generation Algorithms Rotexy procedurally generates subdomains for command and control communication.1
mobile T1521 Encrypted Channel -
mobile T1521.001 Symmetric Cryptography Rotexy encrypts JSON HTTP payloads with AES.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Rotexy hides its icon after first launch.1
mobile T1629 Impair Defenses -
mobile T1629.002 Device Lockout Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Rotexy can use phishing overlays to capture users’ credit card information.1
mobile T1406 Obfuscated Files or Information Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.1
mobile T1644 Out of Band Data Rotexy can be controlled through SMS messages.1
mobile T1424 Process Discovery Rotexy collects information about running processes.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Rotexy can access and upload the contacts list to the command and control server.1
mobile T1636.004 SMS Messages Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can also send a list of all SMS messages on the device to the command and control server.1
mobile T1582 SMS Control Rotexy can automatically reply to SMS messages, and optionally delete them.1
mobile T1418 Software Discovery Rotexy retrieves a list of installed applications and sends it to the command and control server.1
mobile T1426 System Information Discovery Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.1
mobile T1422 System Network Configuration Discovery Rotexy collects the device’s IMEI and sends it to the command and control server.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks Rotexy checks if it is running in an analysis environment.1