Back in 2014, a form of spyware called SMSThief surfaced on InfoSec researchers’ radars. Its method of attack consisted of sending phishing SMS messages that attempted to social-engineer victims into downloading malicious applications. Over time the SMSThief spyware morphed into Rotexy, which has always carried the methodology of its SMSThief origins, although the function and attack targets eventually changed. As reported by Kaspersky Lab researchers Tatyana Shishkova and Lev Pikman in a SecureList post, Rotexy is now a banking Trojan targeting primarily Russian citizens.
The report notes how the Rotexy Trojan has to date recorded, at minimum, 70,000 attacks over the course of a three month period (August-October). Shishkova and Pikman note the following about Rotexy’s characteristics post-infection:
Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C&C. Also, when an SMS arrives, the Trojan puts the phone into silent mode and switches off the screen so the user doesn’t notice that a new SMS has arrived. When required, the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message. (It is specified in the interception template whether a reply must be sent, and which text should be sent to which address.) If the application hasn’t received instructions about the rules for processing incoming SMSs, it simply saves all SMSs to a local database and uploads them to the C&C.
Apart from general information about the device, the Trojan sends a list of all the running processes and installed applications to the C&C. It’s possible the threat actors use this list to find running antivirus or banking applications.
In addition to this, Rotexy also appears to have some capabilities similar to ransomware in that it can lock the screen of an infected device. Rotexy pursues the administrative rights of a user’s mobile phone as well, but researchers uncovered the command in the current version that revokes such privileges. Taking advantage of the SMS communication Rotexy uses, sending “3458” in a text message takes away the illegal admin credentials and sending the phrase “stop_blocker” locks in the programmatic change.
This only applies to the current version of Rotexy, however, and it is certain to change so be wary.
Featured image: Flickr / Nickolas Titkov