New Android Banking Trojan ‘Nexus’ Discovered in Global Campaigns
A new Android banking Trojan has been making waves in the cybersecurity world, known as ‘Nexus’ and discovered by Cleafy security researchers. This malicious tool is part of a Malware-as-a-Service (MaaS) subscription, offering features that enable account takeover (ATO) attacks.
Origins and Development
The Nexus Trojan first emerged in January 2023, although Cleafy researchers had identified infections linked to Nexus as early as June 2022. Upon analyzing Nexus samples, similarities were found between this malware and SOVA, another Android banking Trojan uncovered in mid-2021. It was initially believed that Nexus was an updated version of SOVA, with authors possibly reusing some of SOVA’s internals while introducing new features.
Notably, the SOVA author, operating under the alias ‘sovenok,’ has shed light on Nexus and its ties to SOVA. Allegations were made against an affiliate who rented SOVA in the past for allegedly stealing the entire source code of the project.
Features and Capabilities
Nexus specializes in facilitating ATO operations, offering overlay attacks and keylogging functionalities to capture victims’ credentials. Additionally, it can pilfer SMS messages (for two-factor authentication codes) and data from cryptocurrency wallets. The malware is also equipped with autonomous updating capabilities, constantly checking for updates from its command-and-control (C2) server while running.
Moreover, Nexus includes an encryption module, hinting at the possibility of ransomware functionality. Despite this module being in the development phase, evident from debugging strings and lack of usage references, its potential threat cannot be underestimated.
Future Implications
While Nexus currently lacks a virtual network computing (VNC) module for remote access, limiting its reach and capabilities, Cleafy warns that the malware’s infection rate from multiple C2 panels indicates a significant global threat. With the potential to infect hundreds of devices worldwide, Nexus poses a looming danger that could escalate in the coming months.
Given the evolving nature of cyber threats, constant vigilance and robust security measures are essential to safeguard against banking Trojans like Nexus. Stay informed and proactive to defend against emerging cyber risks.