Customers of 450 banks and cryptocurrency services throughout the world are being targeted by a threat actor using a harmful Android Trojan that has many capabilities for taking control of online accounts and potentially draining cash from them. Through a recently revealed malware-as-a-service (MaaS) platform, the creators of the so-called “Nexus” Android Trojan have made the malware available to other threat actors so they may use it in their cyberattacks.
When Nexus was originally discovered in June 2022, researchers at the Italian cybersecurity firm Cleafy believed it to be a rapidly evolving variant of another Android banking Trojan they were investigating called “Sova.” At the time, the malware could target more than 200 mobile banking, cryptocurrency, and other financial apps and contained significant amounts of Sova code. Researchers from Cleafy discovered what they believed to be the Sova variation concealed in phony apps with branding that claimed they were from reputable companies like Amazon, Chrome, NFT, and others.
The recent appearance of multiple Android banking trojans, including Nexus, has added to the already significant number of comparable tools that are out there. For instance, Cyble researchers reported earlier this month seeing new Android malware called GoatRAT target a just-launched mobile automated payment system in Brazil. Another Android banking Trojan known as “Godfather” was discovered by Cyble in December 2022. It had been absent for some time but has returned with new, more sophisticated obfuscation and anti-detection characteristics. Cybersecurity experts discovered spyware on the Google Play store that was legal malware. The two malware types are only the very beginning. According to a Kaspersky investigation, 200,000 new banking Trojans appeared in 2022, an increase of 100% from 2021.
The threat intelligence team leader at Cleafy, Federico Valentini, said it’s not apparent how threat actors are getting Nexus onto Android smartphones. “We didn’t have access to specific details on Nexus’s initial infection vector, as our research was mainly focused on analyzing its behavior and capabilities,” says Valentini. “However, based on our experience and knowledge of similar malware, it is common for banking Trojans to be delivered through social engineering schemes such as smishing,” he says, referring to phishing through SMS. The malware, which is now more advanced, was discovered by Cleafy researchers in January 2023. It was going by the moniker Nexus on several hacker sites. Soon after, the malware developers started selling the malware to other threat actors through their new MaaS program for about $3,000 per month.
According to Cleafy’s study of Nexus, the malware has many capabilities for allowing account takeover. One of them allows for the execution of overlay attacks and the recording of keystrokes to steal user credentials. When a user of a targeted cryptocurrency or banking app, for example, tries to enter their account using a hacked Android smartphone, Nexus offers up a page that identically matches the login page for the genuine app in terms of appearance and functionality. The malware then employs its keylogging function to capture the victim’s login information. Nexus may intercept SMS texts, like many banking Trojans, to get two-factor authentication credentials for logging into online accounts. Cleafy discovered Nexus was capable of exploiting Android’s Accessibility Services feature to harvest cookies from websites of interest, two-factor codes from Google’s Authenticator, and seeds and balance information from cryptocurrency wallets.
The creators of the malware also seem to have added to Nexus new features that weren’t in the version that Cleafy saw last year and first thought was a Sova variation. One of them is a function to covertly erase SMS two-factor authentication messages that have been received, and another is a capability to disable or activate the module for stealing Google Authenticator 2FA codes. The most recent Nexus model features a feature that checks its command-and-control server (C2) for updates regularly and automatically installs any that might be made available. According to a module that appears to be still under development, the malware most likely to obfuscate its tracks after completing an account takeover may have an encryption capability.
Valentini said that Cleafy’s study indicates that Nexus may have infiltrated hundreds of systems. Cleafy’s experts determined Nexus to still be a work in progress despite the malware’s numerous capabilities for commandeering online bank accounts. The security provider cites the existence of debugging strings and the absence of use references in some malware modules as indicators. According to Cleafy, the code’s enormous volume of logging messages, which indicates the writers are still following and documenting every step the malware takes, is another clear indication. It is noteworthy that the malware does not currently contain a Virtual Network Computing, or VNC, module that would enable an attacker to fully remote control a Nexus-infected device. “The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily.”
