A new Android banking Trojan called Nexus Already employed by multiple threat actors to target 450 financial applications to carry out fraud.
“Nexus appears to be in the early stages of development,” Italian cybersecurity firm Cleafy said in a report released this week.
“Nexus provides all the key features to perform ATO attacks (account takeover) against banking portals and cryptocurrency services, such as credential theft and SMS interception.”
The Trojan, which appeared on various hacking forums earlier this year, is advertised to customers as a $3,000 monthly subscription service. Details of the malware were first documented by Cyble earlier this month.
However, as early as June 2022, at least six months before its official announcement on darknet portals, there are indications that the malware may have been used in an actual attack.
It is also said to overlap with another banking Trojan called SOVA, reusing parts of its source code and incorporating a ransomware module that is believed to be under active development. increase.
A point worth mentioning here is that Nexus is the same malware that Clafy first classified as a new variant of SOVA (called v5) in August 2022.
Interestingly, the creators of Nexus have clear rules prohibiting the use of malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.
This malware, like other banking Trojans, has the ability to hijack accounts related to banking and cryptocurrency services by performing overlay attacks and keylogging to steal user credentials.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Additionally, Android’s accessibility services can be abused to read two-factor authentication (2FA) codes from SMS messages and the Google Authenticator app.
New to the list of features are the ability to delete received SMS messages, the ability to activate or deactivate the 2FA stealer module, and the ability to periodically ping a command and control (C2) server to self-promote itself. A function to update.
” [Malware-as-a-Service] This model allows criminals to monetize malware more efficiently by providing customers with off-the-shelf infrastructure, allowing customers to use malware to attack their targets,” the researchers said. increase.
