Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0411: Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.[1]

MobileS0411MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Rotexy matters because it represents mobile malware behavior that can affect both fraud risk and device availability on Android. The ATT&CK record describes it as Android banking malware that evolved from SMS spyware into a tool with additional features, including ransomware functionality. For leaders, the key issue is not only malware removal; it is whether the organization can see risky mobile permissions, suspicious SMS activity, credential/PII prompting, command-and-control over web or out-of-band channels, and device lockout events before they become an incident-response or business-continuity problem.

Executive priority

Prioritize Rotexy as a mobile security readiness and incident-response planning use case for Android environments. It connects to banking/credential theft risk, contact and SMS data exposure, hidden application behavior, encrypted or obfuscated communications, and device lockout. Executives should ask whether corporate or BYOD Android devices are governed by mobile device management, whether SMS and sensitive-permission abuse can be investigated, and whether mobile incidents are included in fraud, privacy, and ransomware response playbooks.

Technical view

ATT&CK lists Rotexy on Android and relates it to obfuscation, GUI input capture, software/process/system/network discovery, web-protocol communications, symmetric cryptography, SMS control, icon suppression, device lockout, system checks, contact and SMS collection, domain generation algorithms, and out-of-band data. SOC and IR teams should validate whether mobile telemetry can expose suspicious app permissions and behavior such as SEND_SMS/RECEIVE_SMS use, SMS content access, Contacts access, hidden launcher icons, device administrator abuse or lockout behavior, unusual HTTP/HTTPS destinations, generated-domain patterns, and evidence of encrypted C2 payloads. Because no official ATT&CK detection text is provided, detections should be built from the related techniques and local Android management/logging capabilities.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory for installed Android applications, permissions, device administrator status, and app visibility
  • Android application permission grants involving SMS, contacts, overlays or GUI prompts, and device administration where available
  • Mobile threat defense or endpoint telemetry for hidden apps, obfuscated packages, suspicious process/application discovery, and anti-analysis checks
  • SMS-related evidence such as unauthorized send/receive behavior, default SMS handler changes, or SMS content provider access where collection is lawful and available
  • Network telemetry for Android device HTTP/HTTPS traffic, unusual domains, repeated generated-looking domain lookups, and encrypted application-layer payload patterns

Detection direction

  • Map coverage to the ATT&CK relationships rather than to a single Rotexy signature, since the official object provides no detection guidance.
  • Tune for combinations of risky behaviors: SMS permissions plus contact/SMS collection, hidden launcher icon plus device admin privileges, or GUI input prompts plus banking-related app discovery.
  • Validate mobile network monitoring limitations, especially for HTTPS, symmetric encryption, cellular traffic, and out-of-band channels such as SMS that may bypass enterprise network sensors.
  • Review false positives from legitimate messaging, banking, device management, and security apps that may request powerful permissions or use web protocols.
  • Test whether sandboxing or analysis workflows account for system-check and obfuscation behavior that may reduce visibility in automated analysis environments.

Mitigation priorities

  • Establish mobile application governance for Android, including approved app sources, application inventory, and review of high-risk permissions.
  • Use mobile device management controls where appropriate to restrict or alert on device administrator abuse, risky SMS permissions, and unmanaged applications on corporate devices.
  • Include mobile malware, device lockout, SMS abuse, and credential-prompt scenarios in incident response and fraud/privacy escalation playbooks.
  • Harden monitoring for mobile web traffic and DNS where enterprise architecture allows, while recognizing cellular and encrypted traffic blind spots.
  • Educate users to report unexpected mobile credential prompts, hidden or unremovable apps, SMS anomalies, and sudden device lockout, but do not rely on user reporting as the only control.
Analyst notes and limits

This take is based on the official ATT&CK Rotexy software object and its listed technique relationships. The strongest defensive value is using Rotexy as a behavioral coverage checklist for Android mobile malware that blends credential theft, discovery, SMS abuse, C2 resilience, concealment, and lockout behaviors.

MITRE provides no official detection text, no tactics in the supplied object, and no claim of current activity or targeting. Local conclusions require environment-specific evidence such as Android fleet ownership model, MDM/MTD deployment, logging permissions, privacy constraints, and network visibility across Wi-Fi and cellular paths.

Official MITRE ATT&CK definition

Rotexy

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

16 rows
Domain ID Name Relationship / procedure
Mobile T1636.003 Contact List Sub-technique

Rotexy can access and upload the contacts list to the command and control server.Citationsecurelist rotexy 2018
Mobile T1644 Out of Band Data

Rotexy can be controlled through SMS messages.Citationsecurelist rotexy 2018
Mobile T1633.001 System Checks Sub-technique

Rotexy checks if it is running in an analysis environment.Citationsecurelist rotexy 2018
Mobile T1637.001 Domain Generation Algorithms Sub-technique

Rotexy procedurally generates subdomains for command and control communication.Citationsecurelist rotexy 2018
Mobile T1437.001 Web Protocols Sub-technique

Rotexy can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.Citationsecurelist rotexy 2018
Mobile T1418 Software Discovery

Rotexy retrieves a list of installed applications and sends it to the command and control server.Citationsecurelist rotexy 2018
Mobile T1628.001 Suppress Application Icon Sub-technique

Rotexy hides its icon after first launch.Citationsecurelist rotexy 2018
Mobile T1424 Process Discovery

Rotexy collects information about running processes.Citationsecurelist rotexy 2018
Mobile T1417.002 GUI Input Capture Sub-technique

Rotexy can use phishing overlays to capture users' credit card information.Citationsecurelist rotexy 2018
Mobile T1406 Obfuscated Files or Information

Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.Citationsecurelist rotexy 2018
Mobile T1636.004 SMS Messages Sub-technique

Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can also send a list of all SMS messages on the device to the command and control server.Citationsecurelist rotexy 2018
Mobile T1422 System Network Configuration Discovery

Rotexy collects the device's IMEI and sends it to the command and control server.Citationsecurelist rotexy 2018
Mobile T1582 SMS Control

Rotexy can automatically reply to SMS messages, and optionally delete them.Citationsecurelist rotexy 2018
Mobile T1629.002 Device Lockout Sub-technique

Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.Citationsecurelist rotexy 2018
Mobile T1426 System Information Discovery

Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.Citationsecurelist rotexy 2018
Mobile T1521.001 Symmetric Cryptography Sub-technique

Rotexy encrypts JSON HTTP payloads with AES.Citationsecurelist rotexy 2018
Relationship explorer

All related ATT&CK context

uses · Technique T1636.003: Contact List Mobile uses · Technique T1644: Out of Band Data Mobile uses · Technique T1633.001: System Checks Mobile uses · Technique T1637.001: Domain Generation Algorithms Mobile uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1628.001: Suppress Application Icon Mobile uses · Technique T1424: Process Discovery Mobile uses · Technique T1417.002: GUI Input Capture Mobile uses · Technique T1406: Obfuscated Files or Information Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1582: SMS Control Mobile uses · Technique T1629.002: Device Lockout Mobile uses · Technique T1426: System Information Discovery Mobile uses · Technique T1521.001: Symmetric Cryptography Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
d1f8bf76b9c29731...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle d1f8bf76b9c2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    securelist rotexy 2018

    T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.

    Open source URL
  2. [2]
    mitre-attack S0411
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use