Nexus, an emerging Android banking Trojan targets 450 financial apps

Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications.

Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications.

The Nexus ransomware was first analyzed in early March by researchers from the threat intelligence firm Cyble.

Nexus is available via a Malware-as-a-Service (MaaS) subscription and is advertised on underground forums or through private channels (e.g., Telegram) since January 2023.

It was available for rent at a price of $3000 per month.

However, Cleafy’s Threat Intelligence & Response Team reported having detected the first Nexus infections in June 2022, months before the MaaS was publicly advertised.

Experts believe that the Nexus Trojan is early stages of development despite multiple campaigns are actively using it in the wild.

“Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception. It also provides a built-in list of injections against 450 financial applications.” reads the analysis published by Cleafy.

The authors claim that Nexus has been entirely written from scratch, but the researchers found similarities between Nexus and the SOVA banking trojan, which appeared on the threat landscape in August 2021.

Like other malware, Nexus doesn’t infect systems located in Russia and CIS countries.

The Nexus Trojan can target multiple banking and cryptocurrency in an attempt to take over customers’ accounts. It relies on overlay attacks and keylogging features to capture customers’ credentials.

The malware also supports features to bypass two-factor authentication (2FA) using both SMSs or the Google Authenticator app by abusing of Android’s accessibility services.

The Android Trojan also supports a mechanism for auto-update.

The analysis of various samples revealed that the malware is equipped with encryption capabilities which appear to be under development due to the presence of debugging strings and the lack of usage references.

“As always, the main question here is: Does it represent a threat to Android users? At the time of writing, the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.” concludes the report. “Because of that, we cannot exclude that it will be ready to take the stage in the next few months.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)