Skip to content

S0411 Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.1

Item Value
ID S0411
Associated Names
Version 1.1
Created 23 September 2019
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List Rotexy can access and upload the contacts list to the command and control server.1
mobile T1438 Alternate Network Mediums Rotexy can be controlled through SMS messages.1
mobile T1418 Application Discovery Rotexy retrieves a list of installed applications and sends it to the command and control server.1
mobile T1412 Capture SMS Messages Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can also send a list of all SMS messages on the device to the command and control server.1
mobile T1476 Deliver Malicious App via Other Means Rotexy is distributed through phishing links sent in SMS messages as AvitoPay.apk.1
mobile T1446 Device Lockout Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.1
mobile T1520 Domain Generation Algorithms Rotexy procedurally generates subdomains for command and control communication.1
mobile T1523 Evade Analysis Environment Rotexy checks if it is running in an analysis environment.1
mobile T1411 Input Prompt Rotexy can use phishing overlays to capture users’ credit card information.1
mobile T1406 Obfuscated Files or Information Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.1
mobile T1424 Process Discovery Rotexy collects information about running processes.1
mobile T1582 SMS Control Rotexy can automatically reply to SMS messages, and optionally delete them.1
mobile T1437 Standard Application Layer Protocol Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.1
mobile T1521 Standard Cryptographic Protocol Rotexy encrypts JSON HTTP payloads with AES.1
mobile T1508 Suppress Application Icon Rotexy hides its icon after first launch.1
mobile T1426 System Information Discovery Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.1
mobile T1422 System Network Configuration Discovery Rotexy collects the device’s IMEI and sends it to the command and control server.1


Back to top