Nexus Banking Trojan

The Nexus banking trojan is a type of mobile malware that targets Android Operating Systems. The threat is essentially a rebranded version of the previously identified and tracked S.O.V.A. banking trojan. Its primary objective is to steal banking and financial information from the infected devices of its victims. However, it also has various malicious features that make it a more significant threat.

Nexus can perform actions such as stealing login credentials for other applications, recording audio, and taking screenshots. This type of malware can also perform spyware functions such as accessing contacts, messages, and other sensitive information stored on the device. As such, it poses a significant threat to both personal privacy and cybersecurity. Details about the Nexus Android banking trojan were released to the public by the researchers at Cyble.

Nexus Banking Trojan Harvests Sensitive Information From Infected Devices

The Nexus malware gains control over users' devices by abusing the Android Accessibility Services. This legitimate feature is intended as a way to assist users in more easily operating their devices by simulating clicks, reading displayed text, etc. Once the malware infiltrates a device (usually disguised as a legitimate app), it requests users to enable Accessibility Services, which can interact with the machine in various ways.

After gaining control over the Accessibility Services, Nexus can escalate its privileges and grant itself additional permissions, including the ability to prevent users from disabling the Accessibility Services and deactivate Google Play Protect and other password security measures.

Nexus collects various device information, including the phone model, OS version, IMEI, battery status, IP address (geolocation), SIM card ID, phone number, and mobile network data. The malware specifically targets over forty popular banking applications, checking the list of applications installed on the device and downloading the appropriate HTML injection code for each banking app. This code creates a fake overlay, which is triggered when the user interacts with the legitimate banking app, and prompts the user to enter their login credentials.

Once the user enters their login credentials, the malware sends them to the attackers, giving them access to the user's bank account. Since the malware is able to prevent the user from disabling the Accessibility Services, it can continue to collect sensitive information and compromise the user's device.

Nexus Banking Trojan Gains Control of the Breached Devices

The Nexus trojan is a malicious software that has various functionalities that help it gain control over sensitive content, especially banking accounts. One of its key abilities is the ability to record keystrokes (keylogging) which can be used to capture login credentials and other sensitive information.

In addition, Nexus can also manage SMS messages, calls, and notifications. It can read, intercept, hide, delete, and even send text messages to specific numbers or all contacts. This allows it to obtain OTPs and 2FAs/MFAs sent via text messages, as well as information from Google Authenticator.

Nexus can also make stealthy phone calls and forward them, as well as alter contact information. This means that it could be used for Toll Fraud malware. It can send messages to all contacts, which could result in the proliferation of spam SMS messages.

Furthermore, the trojan can manage notifications by reading, intercepting, hiding, and even showing fake ones. It can also check running processes, delete programs, open apps, lock/unlock the device, mute/unmute sound, open URLs via browsers, show fake system alert overlays, acquire user account lists, and obtain login credentials and balances for cryptocurrency wallets.

Nexus can also read and delete files from connected external storage, which could be used to cause chain infections by injecting additional malicious content into devices. Although currently, it appears to be used primarily to obtain HTML injection packages for banking apps, it could potentially be altered to infect devices with additional malware, such as ransomware.