A recent discovery by Cleafy security researchers has unveiled a new Android banking Trojan known as Nexus, which is being utilized in various malicious campaigns globally. This malware is being promoted as part of a Malware-as-a-Service (MaaS) subscription, offering features specifically designed for carrying out account takeover (ATO) attacks.
According to Cleafy, the Nexus Trojan first made its appearance in January 2023, although the team had already identified infections linked to Nexus as early as June 2022. When analyzing Nexus samples, researchers found similarities in the code between Nexus and SOVA, another Android banking Trojan that was identified in mid-2021. Initially, it was believed that Nexus was simply an updated version of SOVA due to these code resemblances.
It was later revealed that the SOVA author, operating under the alias ‘sovenok,’ had shared insights on Nexus, mentioning that an affiliate who had previously rented SOVA had stolen the entire source code of the project. This sheds light on the connection between the two malware variants.
Nexus is equipped with features that enable ATO operations, including overlay attacks and keylogging functionalities aimed at stealing user credentials. Additionally, the malware can intercept SMS messages to obtain two-factor authentication codes and extract information from cryptocurrency wallets. Nexus also boasts an autonomous updating mechanism that regularly checks for updates from its Command and Control (C2) server while running on an infected device.
Furthermore, Nexus includes a module capable of encryption, indicating potential ransomware capabilities. However, Cleafy noted that this module is still in development, as evident from the presence of debugging strings and the lack of usage references. Despite its current limitations, such as the absence of a virtual network computing (VNC) module for remote access, Nexus has demonstrated a significant infection rate across multiple C2 panels, infecting hundreds of devices worldwide.
The security team at Cleafy emphasized the threat posed by Nexus, warning that it could potentially escalate in the coming months. As such, vigilance and proactive cybersecurity measures are essential to mitigate the risks associated with this advanced Android banking Trojan. Stay informed about emerging threats like Nexus to safeguard your digital assets and personal information from cybercriminal activities.