A new Android banking Trojan has been spotted in several malicious campaigns around the world. Dubbed “Nexus” by Clafy security researchers, the tool is advertised as part of Malware-as-a-Service (MaaS) subscriptions and offers the ability to conduct account takeover (ATO) attacks.
“In January 2023, a new Android banking Trojan appeared on multiple hacking forums under the name of Nexus,” the company wrote in an advisory published Tuesday. “but, [we] We tracked the first Nexus infection before its official announcement in June 2022. ”
After analyzing Nexus samples last year, Clafy noticed code similarities between the malware and the Android banking Trojan SOVA, which was discovered in mid-2021. At the time, the team considered his Nexus to be an updated version of his SOVA.
“Even though a new MaaS program was launched under the name Nexus, the authors may have reused some of the SOVA internals to create new functionality (and rewrite some of the existing functionality). Yes,” explains Clafy.
“Recently, the creator of SOVA, who goes by the alias ‘sovenok’, began sharing some insight into Nexus and its relationship with SOVA, claiming that he had previously stolen SOVA by stealing the entire source code of the project. I called a borrowed affiliate.”
In terms of features that facilitate ATO operations, Nexus offers overlay attacks and keylogging activities designed to steal victim credentials. It can also steal information from SMS messages (to get two-factor authentication codes) and cryptocurrency wallets.
Read more about banking Trojans here: Researchers Discover Nearly 200,000 New Mobile Banking Trojan Installers
“Nexus also has an autonomous update mechanism,” writes Cleafy. “When the malware is running, a dedicated function asynchronously checks for updates against the C2 server.”
The malware also contains a module capable of encryption, which could be ransomware.
“This module appears to be under development due to the presence of debug strings and lack of usage references,” the company revealed.
More generally, Cleafy said the lack of a Virtual Network Computing (VNC) module (allowing remote access) currently limits Nexus’ range and capabilities.
“However, according to the infection rates obtained from multiple C2 panels, Nexus is a real threat that can infect hundreds of devices worldwide,” the security team warned. “Therefore, we cannot rule out the possibility that it will be ready to hit the stage in the coming months.”
