Introduction to Nexus
A newly discovered Android banking trojan called Nexus is causing havoc in the financial industry. Cybersecurity analysts at Cleafy detected the malware in June 2022, and it has already penetrated 450 financial applications, including mobile banking and cryptocurrency services. Nexus is equipped with all the main features for conducting ATO attacks against banking portals and cryptocurrency service providers.
Capabilities and Features of Nexus
Initially, Cleafy thought Nexus was a dynamic variation of the previously tracked Trojan known as “Sova.” However, further analysis revealed that Nexus has unique traits and capabilities. It has merged numerous portions of Sova code and can attack over 200 mobile banking, cryptocurrency, and other financial apps. Nexus also incorporates a ransomware module and reuses parts of the Sova banking trojan.
Nexus as a Subscription Service
Cybersecurity firm Cyble recently reported that Nexus was advertised in several hacking forums as a subscription service with a monthly fee of $3,000. This MaaS (Malware-as-a-Service) approach enables threat actors to streamline their efforts in generating profits from malware by offering a pre-built infrastructure to their clients.
Real-World Attacks by Nexus
Nexus was used in real-world attacks as early as June 2022, at least six months before the malware was announced. Most Nexus infections are occurring in Turkey. Without a VNC (Virtual Network Computing) module, Nexus’s action range and capabilities are currently limited.
Exclusion of Certain Countries by Nexus Authors
The Nexus authors have explicitly specified that their malware will not be used in certain countries, including
- Azerbaijan,
- Armenia,
- Belarus,
- Kazakhstan,
- Kyrgyzstan,
- Moldova,
- Russia,
- Tajikistan,
- Uzbekistan,
- Ukraine,
- Indonesia
New Functionalities Added to Nexus
Nexus can abuse Android’s accessibility service to read 2FA (Two-Factor Authentication) codes from SMS messages and Google Authenticator apps. It can also delete SMS messages, activate or stop the 2FA stealer module, and ping a C2 (Command and Control) server periodically to update itself.
MaaS Approach for Nexus
The MaaS approach enables the threat actors to offer a complete infrastructure, including hosting, distribution, and customer support, to their clients. This approach makes it easier for non-technical criminals to conduct attacks.
Conclusion: Nexus is a Threat to Global Financial Apps
Nexus is a new Android banking trojan that poses a significant threat to the financial industry. With its capabilities and functionalities, it can easily penetrate hundreds of financial apps globally. It is important to remain vigilant and take measures to protect sensitive financial information from Nexus and other similar threats.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
