Nexus Android Trojan

An emerging Android banking Trojan known as 'Nexus' has already been added to the malicious tools of several threat actors. The cybercriminals have used the threat to target approximately 450 financial applications and carry out fraudulent activities.

According to Italian cybersecurity who released a report on the threat, Nexus seems to be in its early stages of development. However, the Trojan provides all the necessary features to conduct Account Takeover (ATO) attacks against banking portals and cryptocurrency services, such as stealing login credentials and intercepting SMS messages. The malicious capabilities of Nexus make it a sophisticated and dangerous banking trojan that can cause significant financial damage to its victims. Nexus is designed specifically to compromise Android devices.

The Nexus Banking Trojan is Offered as a Subscription Services

The Nexus Banking Trojan was discovered to be provided for sale on various hacking forums for $3,000 per month as MaaS (Malware-as-a-Service) scheme. However, there is proof to suggest that the trojan may have already been deployed in real-world attacks as early as June 2022, at least six months prior to its official announcement on the darknet portals.

The malware authors have confirmed that the majority of Nexus infections have been reported in Turkey, according to their own Telegram channel. Furthermore, the malware threat has been found to overlap with another banking Trojan called SOVA, actually reusing parts of its source code. The Nexus Trojan also contains a ransomware module that appears to be actively developed.

Interestingly, the authors of Nexus have set explicit rules prohibiting the use of their malware in several countries, including Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

Expansive List of the Threatening Capabilities Found in Nexus Banking Trojan

Nexus is specifically designed to gain unauthorized access to users' banking and cryptocurrency accounts by employing various techniques such as overlay attacks and keylogging. Through these methods, the malware steals the users' login credentials and other sensitive information.

In addition to these tactics, the malware has the capability to read two-factor authentication (2FA) codes, both from SMS messages and the Google Authenticator app. This is made possible through the exploitation of accessibility services in Android.

Moreover, the malware has been enhanced with new functionalities, such as the ability to remove received SMS messages, activate or deactivate the 2FA stealer module, and update itself by periodically communicating with a command-and-control (C2) server. These new features make the malware even more dangerous and difficult to detect.