The Rotexy Trojan: banker and blocker

January 12, 2019
The Rotexy Trojan: banker and blocker

On the back of a flood in Trojan movement, a standout amongst the most fascinating and dynamic examples to date was a mobile Trojan from the Rotexy family. In a three-month time span from August to October 2018, it propelled more than 70,000 assaults against clients found basically in Russia.


An intriguing component of this group of managing an account Trojans is the synchronous utilization of three command sources:

  • Google Cloud Messaging (GCM) benefit – used to send little messages in JSON arrangement to a cell phone through Google servers;
  • pernicious C&C server;
  • approaching SMS messages.


This ‘flexibility’ was available in the main form of Rotexy and has been an element of all the family’s ensuing delegates. Amid our examination we likewise landed at the end that this Trojan advanced from a SMS spyware Trojan that was first seen in October 2014. In those days it was distinguished as Trojan-Spy.AndroidOS.SmsThief, however later forms were doled out to another family ­– Trojan-Banker.AndroidOS.Rotexy.

The cutting edge form of Rotexy joins the elements of a managing an account Trojan and ransomware. It spreads under the name AvitoPay.apk (or comparable) and downloads from sites with names like,,,, and so on. These site names are produced by an unmistakable calculation: the initial couple of letters are suggestive of mainstream characterized advertisement administrations, trailed by an irregular series of characters, trailed by a two-letter top-level space. Be that as it may, before we delve into the subtle elements of what the most recent adaptation of Rotexy can do and why it’s particular, we might want to give a synopsis of the way the Trojan has taken since 2014 up to the present day.

Presently for some uplifting news: Rotexy doesn’t have an extremely very much structured module for handling commands that land in SMSs. It implies the telephone can be unblocked now and again when it has been hindered by one of the above HTML pages. This is finished by sending “3458” in a SMS to the blocked gadget – this will deny the overseer benefits from the Trojan. After that it’s important to send “stop_blocker” to a similar number – this will handicap the showcase of HTML pages that blackmail cash and square the screen. Rotexy may begin asking for gadget chairman benefits again in an unending circle; all things considered, restart the gadget in protected mode and expel the malignant program.


In any case, this technique may not work if the risk on-screen characters respond rapidly to an endeavor to expel the Trojan. All things considered, you first need to send the content “393838” in a SMS to the contaminated gadget and after that recurrent every one of the activities depicted over; that instant message will change the C&C deliver to “://”, so the telephone will never again get directions from the genuine C&C.


It would be ideal if you take note of that these unblocking directions depend on an examination of the present form of Rotexy and have been tried on it. Notwithstanding, it’s conceivable the arrangement of directions may change in future variants of the Trojan.

Anti-Trojan measures must be implemented, monitored and watched over with vigilance as the season of Christmas and holidays are quickly approaching, expect that more malware Trojans will be set loose by cyber criminals. Subsequently once Trojans succeed with their attacks and payload, next step or action will be an opportunity for the cyber criminals to conduct phishing attacks, therefore fraud prevention from financial institution must be planned out by their anti-phishing measures through their digital security team.


About the author

Leave a Reply