{
	"id": "ecfdf857-6ddf-4778-8261-c28ccb9dab4e",
	"created_at": "2026-04-06T00:16:47.684665Z",
	"updated_at": "2026-04-10T03:21:03.325773Z",
	"deleted_at": null,
	"sha1_hash": "c03f8e84e592f664e64583540f2468e4a754fb4f",
	"title": "The Rotexy mobile Trojan – banker and ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1025851,
	"plain_text": "The Rotexy mobile Trojan – banker and ransomware\r\nBy Tatyana Shishkova\r\nPublished: 2018-11-22 · Archived: 2026-04-05 12:36:47 UTC\r\nOn the back of a surge in Trojan activity, we decided to carry out an in-depth analysis and track the evolution of\r\nsome other popular malware families besides Asacub. One of the most interesting and active specimens to date\r\nwas a mobile Trojan from the Rotexy family. In a three-month period from August to October 2018, it launched\r\nover 70,000 attacks against users located primarily in Russia.\r\nAn interesting feature of this family of banking Trojans is the simultaneous use of three command sources:\r\nGoogle Cloud Messaging (GCM) service – used to send small messages in JSON format to a mobile\r\ndevice via Google servers;\r\nmalicious C\u0026C server;\r\nincoming SMS messages.\r\nThis ‘versatility’ was present in the first version of Rotexy and has been a feature of all the family’s subsequent\r\nrepresentatives. During our research we also arrived at the conclusion that this Trojan evolved from an SMS\r\nspyware Trojan that was first spotted in October 2014. Back then it was detected as Trojan-Spy.AndroidOS.SmsThief, but later versions were assigned to another family \r\n– Trojan-Banker.AndroidOS.Rotexy.\r\nThe modern version of Rotexy combines the functions of a banking Trojan and ransomware. It spreads under the\r\nname AvitoPay.apk (or similar) and downloads from websites with names like youla9d6h.tk, prodam8n9.tk,\r\nprodamfkz.ml, avitoe0ys.tk, etc. These website names are generated according to a clear algorithm: the first few\r\nletters are suggestive of popular classified ad services, followed by a random string of characters, followed by a\r\ntwo-letter top-level domain. But before we go into the details of what the latest version of Rotexy can do and why\r\nit’s distinctive, we would like to give a summary of the path the Trojan has taken since 2014 up to the present day.\r\nEvolution of Rotexy\r\n2014–2015\r\nSince the malicious program was detected in 2014, its main functions and propagation method have not changed:\r\nRotexy spreads via links sent in phishing SMSs that prompt the user to install an app. As it launches, it requests\r\ndevice administrator rights, and then starts communicating with its C\u0026C server.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 1 of 26\n\nA typical class list in the Trojan’s DEX file\r\nUntil mid-2015, Rotexy used a plain-text JSON format to communicate with its C\u0026C. The C\u0026C address was\r\nspecified in the code and was also unencrypted:\r\nIn some versions, a dynamically generated low-level domain was used as an address:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 2 of 26\n\nIn its first communication, the Trojan sent the infected device’s IMEI to the C\u0026C, and in return it received a set of\r\nrules for processing incoming SMSs (phone numbers, keywords and regular expressions) – these applied mainly\r\nto messages from banks, payment systems and mobile network operators. For instance, the Trojan could\r\nautomatically reply to an SMS and immediately delete it.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 3 of 26\n\nMessage to C\u0026C requesting an SMS processing template, and the server’s reply\r\nRotexy then sent information about the smartphone to the C\u0026C, including the phone model, number, name of the\r\nmobile network operator, versions of the operating system and IMEI.\r\nWith each subsequent request, a new subdomain was generated. The algorithm for generating the lowest-level\r\ndomain name was hardwired in the Trojan’s code.\r\nThe Trojan also registered in Google Cloud Messaging (GCM), meaning it could then receive commands via that\r\nservice. The Trojan’s list of possible commands has remained practically unchanged throughout its life, and will\r\nbe described below in detail.\r\nThe Trojan’s assets folder contained the file data.db with a list of possible values for the User-Agent field for the\r\nPAGE command (which downloads the specified webpage). If the value of this field failed to arrive from the\r\nC\u0026C, it was selected from the file data.db using a pseudo-random algorithm.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 4 of 26\n\nContents of data.db\r\n2015–2016\r\nStarting from mid-2015, the Trojan began using the AES algorithm to encrypt data communicated between the\r\ninfected device and the C\u0026C:\r\nAlso starting with the same version, data is sent in a POST request to the relative address with the format\r\n“/[number]” (a pseudo-randomly generated number in the range 0–9999).\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 5 of 26\n\nIn some samples, starting from January 2016, an algorithm has been implemented for unpacking the encrypted\r\nexecutable DEX file from the assets folder. In this version of Rotexy, dynamic generation of lowest-level domains\r\nwas not used.\r\n2016\r\nFrom mid-2016 on, the cybercriminals returned to dynamic generation of lowest-level domains. No other\r\nsignificant changes were observed in the Trojan’s network behavior.\r\nQuery from the Trojan to the C\u0026C\r\nIn late 2016, versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder.\r\nThe page was designed to steal users’ bank card details:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 6 of 26\n\n2017–2018\r\nFrom early 2017, the HTML phishing pages bank.html, update.html and extortionist.html started appearing in the\r\nassets folder. Also, in some versions of the Trojan the file names were random strings of characters.\r\nIn 2018, versions of Rotexy emerged that contacted the C\u0026C using its IP address. ‘One-time’ domains also\r\nappeared with names made up of random strings of characters and numbers, combined with the top-level domains\r\n.cf, .ga, .gq, .ml, or .tk.\r\nAt this time, the Trojan also began actively using different methods of obfuscation. For example, the DEX file is\r\npacked with garbage strings and/or operations, and contains a key to decipher the main executable file from the\r\nAPK.\r\nLatest version (2018)\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 7 of 26\n\nLet’s now return to the present day and a detailed description of the functionality of a current representative of the\r\nRotexy family (SHA256: ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84).\r\nApplication launch\r\nWhen launching for the first time, the Trojan checks if it is being launched in an emulation environment, and in\r\nwhich country it is being launched. If the device is located outside Russia or is an emulator, the application\r\ndisplays a stub page:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 8 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 9 of 26\n\nIn this case, the Trojan’s logs contain records in Russian with grammatical errors and spelling mistakes:\r\nIf the check is successful, Rotexy registers with GCM and launches SuperService which tracks if the Trojan has\r\ndevice administrator privileges. SuperService also tracks its own status and relaunches if stopped. It performs a\r\nprivilege check once every second; if unavailable, the Trojan starts requesting them from the user in an infinite\r\nloop:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 10 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 11 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 12 of 26\n\nIf the user agrees and gives the application the requested privileges, another stub page is displayed, and the app\r\nhides its icon:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 13 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 14 of 26\n\nIf the Trojan detects an attempt to revoke its administrator privileges, it starts periodically switching off the phone\r\nscreen, trying to stop the user actions. If the privileges are revoked successfully, the Trojan relaunches the cycle of\r\nrequesting administrator privileges.\r\nIf, for some reason, SuperService does not switch off the screen when there is an attempt to revoke the device\r\nadministrator privileges, the Trojan tries to intimidate the user:\r\nWhile running, Rotexy tracks the following:\r\nswitching on and rebooting of the phone;\r\ntermination of its operation – in this case, it relaunches;\r\nsending of an SMS by the app – in this case, the phone is switched to silent mode.\r\nC\u0026C communications\r\nThe default C\u0026C address is hardwired in the Rotexy code:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 15 of 26\n\nThe relative address to which the Trojan will send information from the device is generated in a pseudo-random\r\nmanner. Depending on the Trojan version, dynamically generated subdomains can also be used.\r\nIn this sample of the Trojan, the Plugs.DynamicSubDomain value is false, so subdomains are not generated\r\nThe Trojan stores information about C\u0026C servers and the data harvested from the infected device in a local\r\nSQLite database.\r\nFirst off, the Trojan registers in the administration panel and receives the information it needs to operate from the\r\nC\u0026C (the SMS interception templates and the text that will be displayed on HTML pages):\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 16 of 26\n\nRotexy intercepts all incoming SMSs and processes them according to the templates it received from the C\u0026C.\r\nAlso, when an SMS arrives, the Trojan puts the phone into silent mode and switches off the screen so the user\r\ndoesn’t notice that a new SMS has arrived. When required, the Trojan sends an SMS to the specified phone\r\nnumber with the information it has received from the intercepted message. (It is specified in the interception\r\ntemplate whether a reply must be sent, and which text should be sent to which address.) If the application hasn’t\r\nreceived instructions about the rules for processing incoming SMSs, it simply saves all SMSs to a local database\r\nand uploads them to the C\u0026C.\r\nApart from general information about the device, the Trojan sends a list of all the running processes and installed\r\napplications to the C\u0026C. It’s possible the threat actors use this list to find running antivirus or banking\r\napplications.\r\nRotexy will perform further actions after it receives the corresponding commands:\r\nSTART, STOP, RESTART — start, stop, restart SuperService.\r\nURL — update C\u0026C address.\r\nMESSAGE – send SMS containing specified text to a specified number.\r\nUPDATE_PATTERNS – reregister in the administration panel.\r\nUNBLOCK – unblock the telephone (revoke device administrator privileges from the app).\r\nUPDATE – download APK file from C\u0026C and install it. This command can be used not just to update the\r\napp but to install any other software on the infected device.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 17 of 26\n\nCONTACTS – send text received from C\u0026C to all user contacts. This is most probably how the application\r\nspreads.\r\nCONTACTS_PRO – request unique message text for contacts from the address book.\r\nPAGE – contact URL received from C\u0026C using User-Agent value that was also received from C\u0026C or\r\nlocal database.\r\nALLMSG – send C\u0026C all SMSs received and sent by user, as stored in phone memory.\r\nALLCONTACTS – send all contacts from phone memory to C\u0026C.\r\nONLINE – send information about Trojan’s current status to C\u0026C: whether it has device administrator\r\nprivileges, which HTML page is currently displayed, whether screen is on or off, etc.\r\nNEWMSG – write an SMS to the device memory containing the text and sender number sent from C\u0026C.\r\nCHANGE_GCM_ID – change GCM ID.\r\nBLOCKER_BANKING_START – display phishing HTML page for entry of bank card details.\r\nBLOCKER_EXTORTIONIST_START – display HTML page of the ransomware.\r\nBLOCKER_UPDATE_START – display fake HTML page for update.\r\nBLOCKER_STOP – block display of all HTML pages.\r\nThe C\u0026C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs. The\r\nTrojan intercepts incoming SMSs and can receive the following commands from them:\r\n“3458” — revoke device administrator privileges from the app;\r\n“hi”, “ask” — enable and disable mobile internet;\r\n“privet”, “ru” — enable and disable Wi-Fi;\r\n“check” — send text “install: [device IMEI]” to phone number from which SMS was sent;\r\n“stop_blocker” — stop displaying all blocking HTML pages;\r\n“393838” — change C\u0026C address to that specified in the SMS.\r\nInformation about all actions performed by Rotexy is logged in the local database and sent to the C\u0026C. The server\r\nthen sends a reply that contains instructions on further actions to be taken.\r\nDisplaying HTML pages\r\nWe’ll now look at the HTML pages that Rotexy displays and the actions performed with them.\r\nThe Trojan displays a fake HTML update page (update.html) that blocks the device’s screen for a long\r\nperiod of time.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 18 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 19 of 26\n\nThe Trojan displays the extortion page (extortionist.html) that blocks the device and demands a ransom for\r\nunblocking it. The sexually explicit images in this screenshot have been covered with a black box.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 20 of 26\n\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 21 of 26\n\nThe Trojan displays a phishing page (bank.html) prompting the user to enter their bank card details. This\r\npage mimics a legitimate bank form and blocks the device screen until the user enters all the information. It\r\neven has its own virtual keyboard that supposedly protects the victim from keyloggers.\r\nIn the areas marked ‘{text}’ Rotexy displays the text it receives from the C\u0026C. Typically, it is a message saying\r\nthat the user has received a money transfer, and that they must enter their bank card details so the money can be\r\ntransferred to their account.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 22 of 26\n\nThe entered data is then checked and the last four digits of the bank card number are also checked against the data\r\nsent in the C\u0026C command. The following scenario may play out: according to the templates for processing\r\nincoming SMSs, Rotexy intercepts a message from the bank that contains the last four digits of the bank card\r\nconnected to the phone number. The Trojan sends these digits to the C\u0026C, which in turn sends a command to\r\ndisplay a fake data entry window to check the four digits. If the user has provided the details of another card, then\r\nthe following window is displayed:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 23 of 26\n\nScreenshot displaying the message: “You have entered an incorrect card. Enter the card ending in the digits:\r\n1234”\r\nThe application leaves the user with almost no option but to enter the correct card number, as it checks the entered\r\nnumber against the bank card details the cybercriminals received earlier.\r\nWhen all the necessary card details are entered and have been checked, all the information is uploaded to the\r\nC\u0026C.\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 24 of 26\n\nHow to unblock the phone\r\nNow for some good news: Rotexy doesn’t have a very well-designed module for processing commands that arrive\r\nin SMSs. It means the phone can be unblocked in some cases when it has been blocked by one of the above\r\nHTML pages. This is done by sending “3458” in an SMS to the blocked device – this will revoke the\r\nadministrator privileges from the Trojan. After that it’s necessary to send “stop_blocker” to the same number –\r\nthis will disable the display of HTML pages that extort money and block the screen. Rotexy may start requesting\r\ndevice administrator privileges again in an infinite loop; in that case, restart the device in safe mode and remove\r\nthe malicious program.\r\nHowever, this method may not work if the threat actors react quickly to an attempt to remove the Trojan. In that\r\ncase, you first need to send the text “393838” in an SMS to the infected device and then repeat all the actions\r\ndescribed above; that text message will change the C\u0026C address to “://”, so the phone will no longer receive\r\ncommands from the real C\u0026C.\r\nPlease note that these unblocking instructions are based on an analysis of the current version of Rotexy and have\r\nbeen tested on it. However, it’s possible the set of commands may change in future versions of the Trojan.\r\nGeography of Rotexy attacks\r\nAccording to our data, 98% of all Rotexy attacks target users in Russia. Indeed, the Trojan explicitly targets\r\nRussian-speaking users. There have also been cases of users in Ukraine, Germany, Turkey and several other\r\ncountries being affected.\r\nKaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by\r\nthis Trojan.\r\nIOCs\r\nSHA256\r\n0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7\r\n4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96\r\n76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b\r\n7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386\r\n9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba\r\nac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7\r\nb1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b\r\nba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84\r\nba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c\r\ne194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec\r\nС\u0026C\r\n2014–2015:\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 25 of 26\n\nsecondby.ru\r\ndarkclub.net\r\nholerole.org\r\ngoogleapis.link\r\n2015–2016:\r\ntest2016.ru\r\nblackstar.pro\r\nsynchronize.pw\r\nlineout.pw\r\nsync-weather.pw\r\n2016\r\nfreedns.website\r\nstreamout.space\r\n2017–2018:\r\nstreamout.space\r\nsky-sync.pw\r\ngms-service.info\r\nSource: https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nhttps://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/\r\nPage 26 of 26\n\n https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/     \nThe Trojan displays the extortion page (extortionist.html)  that blocks the device and demands a ransom for\nunblocking it. The sexually explicit images in this screenshot have been covered with a black box.\n   Page 20 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
	],
	"report_names": [
		"88893"
	],
	"threat_actors": [],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c03f8e84e592f664e64583540f2468e4a754fb4f.pdf",
		"text": "https://archive.orkl.eu/c03f8e84e592f664e64583540f2468e4a754fb4f.txt",
		"img": "https://archive.orkl.eu/c03f8e84e592f664e64583540f2468e4a754fb4f.jpg"
	}
}