Photo by Rafapress / Shutterstock.com
Customers of nearly 450 banks and financial institutions have been found vulnerable to a novel Android malware dubbed ‘Nexus’. The malware has been made available via a newly announced malware-as-a-service (MaaS) program allowing individuals or groups to rent or subscribe to the malware for use in their own attacks.
Nexus was first spotted in the wild by researchers from Cleafy, an Italian cybersecurity firm in June 2022. However, it was classified simply as a rapidly evolving variant of Sova, another Android banking trojan at the time. Even back then, Nexus shared code with Sova and could target more than 200 mobile banking, crypto and other financial apps.
It resurfaced again in January 2023 on multiple hacking forums, this time with even more capabilities. The malware authors began making it available to other attackers using their new MaaS program for nearly $3,000 per month.
Nexus isn’t the first banking trojan out there and it certainly won’t be the last. Much like other banking trojans we’ve seen, the malware can intercept text messages to bypass 2FA and abuse the Android Accessibility Service feature to seal seeds and balance information from crypto wallets, cookies and 2FA codes from Google’s Authenticator app. However, its authors are continuously adding new features. It also has several account takeover features, including a function for performing overlay attacks and logging keystrokes of the user to capture credentials.
Some of its latest capabilities include deleting received 2FA code SMS and a function that enables or disables the Google Authenticator 2FA code stealing module. The latest variant can also automatically update itself by periodically looking for updates from the Command and Control (C2) centre and an encryption and obfuscation module in the malware seems to be under development.
It’s unclear how the malware is being distributed at the time of writing. Still, according to Federico Valentini, head of Cleafy’s intelligence team, banking trojans are usually delivered through social engineering schemes such as phishing and smishing. That said, Cleafy’s research suggests that the malware may already have breached hundreds of systems with victims well-distributed around the world.
Despite its capabilities and already spread out victim base, Cleafy researchers think the malware is still under active development as indicated by the high number of log messages, presence of debugging strings and lack of usage references in certain modules. The lack of a VNC feature to take full control of an infected Android device is also indicative of that.
In the News: Cybercriminals steal $1.5 million in crypto cash from Bitcoin ATMs