Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

1 year ago AndyC

Mar
23,
2023Ravie
LakshmananMobile
Security
/
Banking

An
emerging
Android
banking
trojan
dubbed

Nexus
has
already
been
adopted
by
several
threat
actors
to
target
450
financial
applications
and
conduct
fraud.

Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps



Mar
23,
2023Ravie
LakshmananMobile
Security
/
Banking


Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

An
emerging
Android
banking
trojan
dubbed

Nexus
has
already
been
adopted
by
several
threat
actors
to
target
450
financial
applications
and
conduct
fraud.

“Nexus
appears
to
be
in
its
early
stages
of
development,”
Italian
cybersecurity
firm
Cleafy

said
in
a
report
published
this
week.

“Nexus
provides
all
the
main
features
to
perform
ATO
attacks
(Account
Takeover)
against
banking
portals
and
cryptocurrency
services,
such
as
credentials
stealing
and
SMS
interception.”

The
trojan,
which
appeared
in
various
hacking
forums
at
the
start
of
the
year,
is
advertised
as
a
subscription
service
to
its
clientele
for
a
monthly
fee
of
$3,000.
Details
of
the
malware
were

first
documented
by
Cyble
earlier
this
month.

However,
there
are
indications
that
the
malware
may
have
been
used
in
real-world
attacks
as
early
as
June
2022,
at
least
six
months
before
its
official
announcement
on
darknet
portals.

It’s
also
said
to
overlap
with
another
banking
trojan
dubbed

SOVA,
reusing
parts
of
its
source
code
and
incorporating
a
ransomware
module
that
appears
to
be
under
active
development.

A
point
worth
mentioning
here
is
that
Nexus
is
the
same
malware
that
Cleafy
initially
classified
as
a

new
variant
of
SOVA
(dubbed
v5)
in
August
2022.


Android Banking Trojan

Interestingly,
the
Nexus
authors
have
laid
out
explicit
rules
that
prohibit
the
use
of
its
malware
in
Azerbaijan,
Armenia,
Belarus,
Kazakhstan,
Kyrgyzstan,
Moldova,
Russia,
Tajikistan,
Uzbekistan,
Ukraine,
and
Indonesia.

The
malware,
like
other
banking
trojans,
contains
features
to
take
over
accounts
related
to
banking
and
cryptocurrency
services
by
performing
overlay
attacks
and
keylogging
to
steal
users’
credentials.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

Furthermore,
it’s
capable
of
reading
two-factor
authentication
(2FA)
codes
from
SMS
messages
and
the
Google
Authenticator
app
through
the
abuse
of
Android’s
accessibility
services.

Some
new
additions
to
the
list
of
functionalities
is
its
ability
to
remove
received
SMS
messages,
activate
or
stop
the
2FA
stealer
module,
and
update
itself
by
periodically
pinging
a
command-and-control
(C2)
server.

“The
[Malware-as-a-Service]
model
allows
criminals
to
monetize
their
malware
more
efficiently
by
providing
a
ready-made
infrastructure
to
their
customers,
who
can
then
use
the
malware
to
attack
their
targets,”
the
researchers
said.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

3 hours ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

21 hours ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

21 hours ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

3 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

3 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

3 days ago AndyC

You may have missed

La UE avanza hacia la regulación del consumo de energía y agua en los centros de datos

La UE avanza hacia la regulación del consumo de energía y agua en los centros de datos

11 mins ago AndyC
10 projects top of mind for IT leaders today

10 projects top of mind for IT leaders today

11 mins ago AndyC
Assembly required: 8 myths about knowledge management debunked

Assembly required: 8 myths about knowledge management debunked

11 mins ago AndyC
SAP customers see S/4HANA and AI as top digital transformation drivers

SAP customers see S/4HANA and AI as top digital transformation drivers

12 mins ago AndyC
Chrome vs. Edge: Which browser is better for business?

Chrome vs. Edge: Which browser is better for business?

12 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.