Nexus Android malware targets 450 financial applications

Learn
how
to
protect
your
organization
and
users
from
this
Android
banking
trojan.

Image:
Adobe
Stock

Nexus
malware
is
an
Android
banking
trojan
promoted
via
a
malware-as-a-service
model.

Nexus Android malware targets 450 financial applications

Learn
how
to
protect
your
organization
and
users
from
this
Android
banking
trojan.

Nexus Android malware targets 450 financial applications
Image:
Adobe
Stock

Nexus
malware
is
an
Android
banking
trojan
promoted
via
a
malware-as-a-service
model.
The
malware
has
been
advertised
on
several
underground
cybercrime
forums
since
January
2023,
as
reported
in

new
research
from
Cleafy
,
an
Italian-based
cybersecurity
solutions
provider.

In
an
underground
cybercrime
forum
ad,
the
malware
project
is
described
as
“very
new”
and
“under
continuous
development.”
More
messages
from
the
Nexus
author
in
one
forum
thread
indicate
the
malware
code
has
been
created
from
scratch.
An
interesting
note:
The
authors
forbid
the
use
of
the
malware
in
Russia
and
in
the
Commonwealth
of
Independent
States
countries.

Jump
to:

Potential
impact
of
Nexus
Android
malware

The
number
of
Nexus
control
servers
is
growing
and
the
threat
is
increasing.
According
to
Cleafy
Labs,
more
than
16
servers
were
found
in
2023
to
control
Nexus,
probably
used
by
several
affiliates
of
the
MaaS
program.

As
stated
by
Cleafy
researchers,
“the
absence
of
a
VNC
module
limits
its
action
range
and
its
capabilities;
however,
according
to
the
infection
rate
retrieved
from
multiple
C2
panels,
Nexus
is
a
real
threat
that
is
capable
of
infecting
hundreds
of
devices
around
the
world.”

Nexus
is
sold
for
$3,000
USD
per
month
through
a
MaaS
subscription,
which
makes
it
an
interesting
opportunity
for
cybercriminals
who
do
not
have
the
expertise
to
develop
malware
or
crypt
it
so
that
it
bypasses
antivirus
solutions.

Nexus
Android
malware
technical
analysis

Nexus
malware
runs
on
Android
operating
systems
and
has
several
functionalities
of
interest
to
cybercriminals.


Account
takeover
attacks

can
be
accomplished
using
Nexus
malware.
Nexus
has
a
comprehensive
list
of
450
financial
application
login
pages
for
grabbing
users’
credentials.
It
is
also
able
to
perform
overlay
attacks
and
keylog
users’
activities.

Overlay
attacks
are
very
popular
on
mobile
banking
trojans.
They
involve
placing
a
window
on
top
of
a
legitimate
application
to
ask
the
user
for
credentials
so
they
can
be
stolen.
Overlay
attacks
can
also
steal
cookies
from
specific
sites,
typically
for

session
cookie
abuse
.
In
addition,
Nexus
Android
malware
can
steal
information
from
crypto
wallets.


SEE:



Mobile
device
security
policy


(TechRepublic
Premium)

The
malware
has
SMS
interception
capabilities,
which
can
be
used
to
bypass
two-factor
authentication,
grabbing
security
codes
that
are
sent
to
the
victim’s
mobile
phone.
Nexus
can
also
grab
2FA
codes
for
the
Google
Authenticator
application.

By
comparing
the
code
of
two
different
Nexus
binaries
from
September
2022
and
March
2023,
Cleafy
researchers
found
that
the
malware’s
developer
is
still
actively
working
on
it.
New
features
have
appeared,
such
as
the
ability
to
remove
a
received
SMS
on
the
victim’s
mobile
phone
or
activate/deactivate
2FA-stealing
capabilities
from
the
malware.

Nexus
malware
regularly
updates
itself
by
checking
a
C2
server
for
the
last
version
number.
If
the
received
value
does
not
match
the
current
one,
the
malware
automatically
launches
its
update.

Cleafy
Labs
indicated
that
encryption
capabilities
were
found
in
various
Nexus
samples,
yet
it
seems
those
capabilities
are
still
under
development
and
not
yet
used.
While
this
code
might
be
part
of
an
effort
to
produce
ransomware
code,
researchers
estimated
that
it
may
result
from
bad
cut-and-paste
activities
involved
in
many
parts
of
the
code.
It
might
also
be
in
ongoing
development
for
a
destructive
capability
to
render
the
OS
useless
after
it’s
used
for
criminal
activities.

As
stated
by
Cleafy
Labs,
it
is
“hard
to
think
about
a
ransomware
modus
operandi
on
mobile
devices
since
most
information
stored
is
synced
with
cloud
services
and
easily
recoverable.”

Nexus
Android
web
panel

Attackers
control
all
the
malware
installed
on
victims’
mobile
phones
using
a
web
control
panel.
The
panel
reveals
450
financial
targets
and
offers
the
possibility
for
skilled
attackers
to
create
more
custom
injection
code
to
target
additional
applications.

That
panel
enables
attackers
to
see
the
status
of
all
infected
devices
and
get
statistics
about
the
number
of
infected
devices.
They
can
also
collect
data
stolen
from
the
devices
such
as
login
credentials,
cookies,
credit
card
information
and
more
sensitive
information.
All
of
that
information
can
be
obtained
from
the
interface
and
saved
for
fraudulent
usage.

In
addition,
the
web
panel
contains
a
builder
that
can
be
used
to
create
custom
configurations
for
Nexus
malware.

Similarities
to
SOVA
Android
banking
malware

Careful
malware
analysis
done
by
Cleafy
Labs
has
revealed
code
similarities
between
Nexus
samples
and
SOVA,
another
Android
banking
trojan
that
emerged
in
mid-2021.
Although
the
author
of
Nexus
claims
it
was
developed
from
scratch,
it
is
possible
that
code
from
SOVA
has
been
reused.

SOVA’s
developer,
nicknamed
“sovenok,”
recently
claimed
an
affiliate
that
was
previously
renting
SOVA
had
stolen
the
whole
source
code
of
the
project.
They
brought
attention
to
another
nickname,
“Poison,”
which
seems
to
have
ties
with
the
Nexus
malware
project.

Most
of
the
SOVA
commands
were
reused
in
Nexus,
and
some
functions
were
developed
exactly
the
same
way.

How
to
protect
against
this
Nexus
Android
malware
threat

As
the
initial
vector
of
infection
is
unknown,
it
is
important
to
try
to
protect
from
malware
infection
at
every
level
on
Android
smartphones:


  • Deploy
    a

    mobile
    device
    management
    solution
    :

    This
    allows
    you
    to
    remotely
    manage
    and
    control
    corporate
    devices,
    including
    installing
    security
    updates
    and
    enforcing
    security
    policies.

  • Use
    reputable

    antivirus
    software
    :

    Also
    keep
    the
    OS
    and
    all
    software
    fully
    up
    to
    date
    and
    patched
    to
    avoid
    compromises
    by
    common
    vulnerabilities.

  • Avoid
    unknown
    stores:

    Unknown
    stores
    typically
    have
    no
    malware
    detection
    processes,
    unlike
    official
    mobile
    software
    stores.
    Remind
    all
    users
    not
    to
    install
    software
    that
    comes
    from
    untrusted
    sources.

  • Carefully
    check
    requested
    permissions
    when
    installing
    an
    app:

    Applications
    should
    only
    request
    permissions
    for
    necessary
    APIs;
    for
    example,
    a
    QR
    code
    scanner
    should
    not
    ask
    for
    permission
    to
    send
    SMS.
    Before
    installing
    an
    application,
    check
    what
    privileges
    it
    requires.

  • Educate
    employees
    about
    safe
    mobile
    device
    usage:


    Provide
    training
    to
    employees

    on
    how
    to
    recognize
    and
    avoid
    malicious
    apps,
    links
    and
    attachments
    and
    encourage
    them
    to
    report
    any
    suspicious
    activity.


Disclosure:
I
work
for
Trend
Micro,
but
the
views
expressed
in
this
article
are
mine.

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.