Rotexy Android Trojan

First observed in 2014, Rotexy is a modular, Android-based trojan. Originally functioning as a simple information stealer, it has undergone significant improvements over time to add new capabilities.

Threat ID:: CC-2811
Category:: Trojan, Spyware
Threat Severity:: Low
Threat Vector:: Download
Published:: 28 November 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

First observed in 2014, Rotexy is a modular, Android-based trojan. Originally functioning as a simple information stealer, it has undergone significant improvements over time to add new capabilities.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Google Android - All versions

Threat details

Rotexy is distributed via phishing SMS messages that prompt the user to install an application. When clicked, these links download and install a copy of Rotexy disguised as a seemingly legitimate application.

Once installed, Rotexy will ask for full administrative permissions before hiding itself on the device. It will then connect to a command and control server via the Google Cloud Messaging service before awaiting further commands. By default, Rotexy can collect system and user information, send and receive hidden SMS messages or re-boot the device. Additional modules can also be sent from the C2 server for credential theft, ransom attacks or browser injection.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 1:01 pm