A new Android banking Trojan has been discovered in several malicious campaigns worldwide. Dubbed ‘Nexus’ by Cleafy security researchers, the tool is promoted as part of a Malware-as-a-Service (MaaS) subscription and provides features to perform account takeover (ATO) attacks.
“In January 2023, a new Android banking Trojan appeared on multiple hacking forums under the name of Nexus,” wrote the company in an advisory published on Tuesday. “However, [we] traced the first Nexus infections way before the public announcement in June 2022.”
Analysing Nexus samples last year, Cleafy noticed code similarities between the malware and SOVA, an Android banking trojan discovered in mid-2021. At the time, the team believed Nexus to be an updated version of SOVA.
“Despite the new MaaS program launched under the name Nexus, the authors may have reused some parts of SOVA internals to write new features (and rewrite some of the existing ones),” explained Cleafy.
“Recently, the SOVA author, who operates under the alias ‘sovenok,’ started sharing some insights on Nexus and its relationship with SOVA, calling out an affiliate who previously rented SOVA for stealing the entire source code of the project.”
Regarding features facilitating ATO operations, Nexus offers overlay attacks and keylogging activities designed to steal victims’ credentials. It can also steal SMS messages (to obtain two-factor authentication codes) and information from cryptocurrency wallets.
Read more on banking trojans here: Researchers Discover Nearly 200,000 New Mobile Banking Trojan Installers
“Nexus is also equipped with a mechanism for autonomous updating,” Cleafy wrote. “A dedicated function asynchronously checks against its C2 server for updates when the malware is running.”
The malware also includes a module capable of encryption, possibly ransomware.
“This module seems to be under development due to the presence of debugging strings and the lack of usage references,” the company clarified.
More generally, Cleafy said that the absence of a virtual network computing (VNC) module (that would allow for remote access) currently limits the action range and capabilities of Nexus.
“However, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world,” the security team warned. “Because of that, we cannot exclude that it will be ready to take the stage in the next few months.”
