Nexus An Emerging Android Banking Trojan with Over 450 Financial Applications in Its Crosshairs

Nexus An Emerging Android Banking Trojan with Over 450 Financial Applications in Its Crosshairs

Cybersecurity researchers have discovered an emerging Android banking Trojan called Nexus that is capable of targeting over 450 financial applications and conducting account takeover (ATO) attacks against banking portals and cryptocurrency services. According to Italian cybersecurity firm Cleafy, Nexus appears to be in the early stages of development, yet it provides all the main features for stealing user credentials and intercepting SMS messages to perform ATO attacks.

Nexus is advertised as a subscription service to its clientele for a monthly fee of $3,000 and has been documented on various hacking forums since the beginning of the year. However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals.

TA’s Advertisement on the Cybercrime Forum
TA’s Advertisement on the Cybercrime Forum source:

Nexus overlaps with another banking Trojan called SOVA, reusing parts of its source code and incorporating a ransomware module that appears to be under active development. Cleafy initially classified Nexus as a new variant of SOVA (dubbed v5) in August 2022.

It's worth noting that the Nexus authors have explicitly prohibited the use of their malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

Like other banking Trojans, Nexus is designed to perform overlay attacks and keylogging to steal users' credentials. It also contains features to take over accounts related to banking and cryptocurrency services. It can read two-factor authentication (2FA) codes from SMS messages and the Google Authenticator app through the abuse of Android's accessibility services. Furthermore, Nexus has the ability to remove received SMS messages, activate or stop the 2FA stealer module, and update itself by periodically pinging a command-and-control (C2) server.

Cybersecurity researchers have warned that the malware-as-a-service model used by Nexus allows criminals to monetize their malware more efficiently by providing a ready-made infrastructure to their customers, who can then use the malware to attack their targets.

In conclusion, it's essential to be aware of emerging Android banking Trojans like Nexus and take appropriate measures to protect your banking and cryptocurrency accounts. Always keep your mobile device and applications updated with the latest security patches, avoid downloading apps from untrusted sources, and be cautious when entering sensitive information.