New Rotexy mobile trojan is both a banking malware and a ransomware

• Between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia.
• The malware first appeared in 2014 as a spyware but has since evolved, adding more malicious features.

A new variant of the Rotexy malware was recently discovered by security researchers. The malware first appeared in 2014 as a spyware but has since evolved, adding more malicious features. The new Rotexy variant combines the capabilities of a banking malware and a ransomware, making it a potent threat.

According to security researchers at Kaspersky Labs, who discovered the new Rotexy campaign, between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia.

Rotexy’s main goal and propagation methods remain unchanged. The malware spreads through phishing links sent via SMS messages, which trick users into installing an app. The app, once installed requests administrative privileges and establishes a connection with Rotexy’s C2. The malware is designed to send the infected device’s IMEI to the C2.

Rotexy’s capabilities

Apart from harvesting banking credentials and enctypting files, the malware is also capable of automatically replying to an SMS message and deleting it immediately after it is sent.

“In 2018, versions of Rotexy emerged that contacted the C&C using its IP address. ‘One-time’ domains also appeared with names made up of random strings of characters and numbers, combined with the top-level domains .cf, .ga, .gq, .ml, or .tk. At this time, the Trojan also began actively using different methods of obfuscation. For example, the DEX file is packed with garbage strings and/or operations, and contains a key to decipher the main executable file from the APK,” Kaspersky researchers said.

Rotexy is also capable of intercepting all incoming SMS messages. The malware also turns the phone into silent mode and switches off the device’s screen, ensuring that the victim doesn’t notice the new incoming SMS message.

Although the malware primarily infects users in Russia, infections have also been observed across Ukraine, Germany, and Turkey. The reemergence of Rotexy indicates that cybercriminals have no qualms about repurposing older malware strains, developing new variants with advanced capabilities and deploying them against a wider range of victims.