A recent security notice reveals that a dangerous new malware has hit mobile devices — the Rotexy Android Trojan. The reason why it is deemed a critical threat is that it leads to several different types of abusive actions and is thus classified as a hybrid threat.
Rotexy Android Trojan Classified as a Hybrid and Very Dangerous Mobile Malware
The Rotexy Android Trojan has been found to spread mainly by an organizedsmishing landing pages scam. This is a popular hacker tactic that relies on impersonating well-known companies or services and sends fake notifications via SMS messages. The targets will be coerced into opening up links or downloading certain applications from a repository using different typical scenarios. Popular examples are software update notifications or feature additions to the devices.
Once the Trojan code is deployed it will start the infection engine which runs these two processes:
- Security Bypass — It will scan for any anti-virus or virtual machine hosts and disable their real-time engines. This is done in order to avoid detection.
- Persistent Installation — The Trojan will install itself in a way which makes it very difficult to remove using manual methods. This is done by modifying system components, configuration files and boot options.
Following the successful initialization it will initiate a connection to a hacker-controlled server which will allow the criminal operators to spy on the users in real-time. The analysis shows that all correspondences and phone contacts are forwarded to the hackers in real-time.
The Rotexy Android Trojan exhibits an interesting scam tactic of enticing the victims into thinking that they have received a money transfer. They are requested to “validate” their credit card information by presenting a field. To make it look like a legitimate service it includes a credit card validation check which makes sure that the entered details are correct. As soon as they are entered correctly the details will be sent to the criminal operators.
Some configurations and samples of the Trojan have been found to also institute a lockscreen which displays a phishing page and extorts the victims to pay a “fine for viewing prohibited videos”. This is a typical scareware tactic that is often used by ransomware infections.
How To Remove Rotexy Android Infections
The security reports indicate that it is possible to remove active infections of the current configuration associated with the Rotexy Android Trojan. This means that any updates or future releases will probably use a different mechanism and will require specialist help. However taking advantage of the fact that the infected devices are controlled via SMS messages the analysts have developed a way to remove active infections.
Follow these instructions to attempt removal:
- Send a SMS to the phone number associated with the infection with the following contents: “393838”. This will change the command and control server to an empty one and thus disconnect the connection used by the hackers.
- Following this action send the following “3458” — this will remove the administrative privileges that are instituted on the target devices.
- To stop the lockscreen instance send a SMS containing the “stop_blocker” string.
- To remove the dormant Trojan restart the device in safe mode, navigate to the Applications menu page and delete it from there.
For more information, read the full analysis.
Since manually removing malicious content may erase your data, we have suggested several methods to do it effectively and safely in case you have an Android device in the step-by-step instructions below. If you want to skip these steps and remove the objects automatically, we suggest that you download an advanced privacy invasive app solution which will protect your device against any future intrusions.