Insights, news, education and announcements from PolySwarm

Nexus Android Banking Trojan

Written by The Hivemind | Apr 4, 2023 7:28:28 PM

Related Families: SOVA
Verticals Targeted: Financial, Cryptocurrency 

Executive Summary

Nexus is an Android banking trojan offered online as MaaS. It is capable of targeting 450 financial applications. 

Key Takeaways

  • Nexus is an Android banking trojan offered online as MaaS.
  • Nexus has injection capabilities for targeting 450 financial applications.
  • Nexus is apparently based on SOVA, another Android banking trojan.
  • While Nexus appears to still be under development, it has proven to be a real threat. 

What is Nexus?

Cleafy recently reported on Nexus, an Android banking trojan. Nexus was first observed for sale in January 2023, appearing on multiple hacking forums and advertised as Malware as a Service (MaaS) with a price of $3000 USD per month. Despite this, Cleafy’s researchers had observed Nexus in the wild prior to June 2022.

Cleafy researchers noted multiple threat actor groups are using Nexus for account takeover attacks targeting banking portals and cryptocurrency. Nexus capabilities include credential theft using overlay attacks and keylogging, abusing Accessibility Services to steal crypto wallet information and Google Authenticator 2FA codes, and SMS interception. It also has built-in injection capabilities against 450 financial apps. Nexus also has autonomous updating capabilities. The most concerning capability is what appears to be an encryption module that is still under development. It is possible this module will be used in the future for ransomware attacks.

The Nexus C2 panel gives threat actors a dashboard displaying botnet status and activity, a detailed list of infected devices, data collection tools, a list of applications that can be exploited via injection, the ability to create custom injections, and a builder for creating customized versions of Nexus.

It is interesting to note that Nexus developers forbid its use in Russia and CIS nations. Nexus performs location checks and will not infect the device if it appears to be in Russia, Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, or Indonesia.

Nexus shares similarities with the SOVA banking trojan. SOVA’s author, Sovenak, made forum posts calling out a previous affiliate for stealing SOVA’s source code, which may explain why Nexus and several other banking trojans seem to be based on SOVA. Sovenak also suggested Nexus is linked to the Poison Android botnet.

Nexus still appears to be in the early stages of development at present. At this time, it does not have a VNC module, which limits its capabilities. Despite this, the malware’s injection capabilities make it a real-world threat.

IOCs

PolySwarm has a sample of Nexus.

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4

 

You can use the following CLI command to search for all Nexus samples in our portal:

$ polyswarm link list -f Nexus

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 
View full post