Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

Mar 23, 2023Ravie LakshmananMobile Security / Banking

An emerging Android banking trojan dubbed Nexus
has already been adopted by several threat actors to target 450
financial applications and conduct fraud.

“Nexus appears to be in its early stages of development,”
Italian cybersecurity firm Cleafy said ^[1]
in a report published this week.

“Nexus provides all the main features to perform ATO attacks
(Account Takeover) against banking portals and cryptocurrency
services, such as credentials stealing and SMS interception.”

The trojan, which appeared in various hacking forums at the
start of the year, is advertised as a subscription service to its
clientele for a monthly fee of $3,000. Details of the malware were
first documented ^[2]
by Cyble earlier this month.

However, there are indications that the malware may have been
used in real-world attacks as early as June 2022, at least six
months before its official announcement on darknet portals.

According to security researcher Rohit Bansal (@0xrb ^[3]) and confirmed by the
malware authors in their own Telegram channel, a majority of the
Nexus infections have been reported in Turkey.

It’s also said to overlap with another banking trojan dubbed
SOVA ^[4], reusing parts of its
source code and incorporating a ransomware module that appears to
be under active development.

A point worth mentioning here is that Nexus is the same malware
that Cleafy initially classified as a new variant of SOVA ^[5]
(dubbed v5) in August 2022.

Interestingly, the Nexus authors have laid out explicit rules
that prohibit the use of its malware in Azerbaijan, Armenia,
Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan,
Uzbekistan, Ukraine, and Indonesia.

The malware, like other banking trojans, contains features to
take over accounts related to banking and cryptocurrency services
by performing overlay attacks and keylogging to steal users’
credentials.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT ^[6]

Furthermore, it’s capable of reading two-factor authentication
(2FA) codes from SMS messages and the Google Authenticator app
through the abuse of Android’s accessibility services.

Some new additions to the list of functionalities is its ability
to remove received SMS messages, activate or stop the 2FA stealer
module, and update itself by periodically pinging a
command-and-control (C2) server.

“The [Malware-as-a-Service] model allows criminals to monetize
their malware more efficiently by providing a ready-made
infrastructure to their customers, who can then use the malware to
attack their targets,” the researchers said.

Found this article interesting? Follow us on Twitter ^[7]
and LinkedIn ^[8]
to read more exclusive content we post.

References

^{^}
said
(www.cleafy.com)
^{^}
first
documented (thehackernews.com)
^{^}
@0xrb
(twitter.com)
^{^}
SOVA
(thehackernews.com)
^{^}
new
variant of SOVA (thehackernews.com)
^{^}
RESERVE YOUR SEAT
(thn.news)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)