A threat actor is targeting customers of 450 banks and cryptocurrency services worldwide with a dangerous Android trojan that has multiple features for hijacking online accounts and potentially siphoning funds out of them.
The authors of the so-called "Nexus" Android Trojan have made the malware available to other threat actors via a newly announced malware-as-a-service (MaaS) program, where individuals and groups can rent or subscribe to the malware and use it in their own attacks.
Researchers at Italian cybersecurity firm Cleafy first spotted Nexus last June, but at the time assessed it to be a rapidly evolving variant of another Android banking Trojan they were tracking as "Sova.. The malware contained several chunks of Sova code and had capabilities at the time for targeting more than 200 mobile banking, cryptocurrency and other financial apps. Cleafy researchers observed what they assumed was the Sova variant hidden in fake apps with logos that suggested they were Amazon, Chrome, NFT and other trusted apps.
But in January, Cleafy researchers spotted the malware—now more evolved—surfacing on multiple hacking forums under the name Nexus. Shortly thereafter, the malware authors began making the malware available to other threat actors via its new MaaS program for the relatively price of $3,000 a month.
Federico Valentini, head of Cleafy's threat intelligence team, says it's unclear how threat actors are delivering Nexus on Android devices. "We didn't have access to specific details on Nexus's initial infection vector, as our research was mainly focused on analyzing its behavior and capabilities," Valentini says. "However, based on our experience and knowledge of similar malware, it is common for banking trojans to be delivered through social engineering schemes such as smishing," he says referring to phishing via SMS text messages.
Multiple Features for Account Takeover
Cleafy's analysis of Nexus showed the malware to contain several features for enabling account takeover. Among them is a function for performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a target banking or cryptocurrency app, for instance, attempts to access their account using a compromised Android device, Nexus serves up a page that looks and functions exactly like the login page for the real app. The malware then uses its keylogging feature to grab the victim's credentials as entered in the login page.
Like many banking Trojans, Nexus can intercept SMS messages to grab two-factor authentication codes for accessing online accounts. Cleafy found Nexus capable of abusing Android's Accessibility Services feature to steal seeds and balance information from cryptocurrency wallets, cookies from websites of interest, and two-factor codes of Google's Authenticator app.
The malware authors also appear to have added new functionalities to Nexus that were not present in the version that Cleafy observed last year and initially assumed was a Sova variant. One of them is a feature that quietly deletes received SMS two-factor authentication messages and another is a function for stopping or activating the module for stealing Google Authenticator 2FA codes. The latest Nexus variant also has a function for periodically checking its command-and-control server (C2) for updates and for automatically installing any that might become available. A module that appears to be still under development suggests that the authors might implement an encryption capability in the malware, most likely to obfuscate its tracks after completing an account takeover.
Nexus: A Work in Progress?
Valentini says Cleafy's research suggests that Nexus has compromised potentially hundreds of systems. "What's particularly noteworthy is that the victims do not appear to be concentrated in a particular geographical region but are well distributed globally."
Despite the malware's many functions for taking over online financial accounts, Cleafy's researchers assessed Nexus to still be a work-in-progress. One indication, according to the security vendor, is the presence of debugging strings and the lack of usage references in certain modules of the malware. Another giveaway is the relatively high number of logging messages in the code which suggest the authors are still in the process of tracking and reporting on all actions the malware performs, Cleafy said.
Notably, the malware in its present avatar does not include a Virtual Network Computing, or VNC, module that would give the attacker a way to take complete remote control of a Nexus-infected device. "The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily."
One of Many Android Banking Trojans
Nexus is one of several Android banking trojans that have surfaced just over the past few months and have added to the already large number of similar tools in the wild currently. Earlier this month for instance, researchers from Cyble reported observing new Android malware dubbed GoatRAT targeting a recently introduced mobile automated payment system in Brazil. In December 2022, Cyble spotted another Android banking trojan tracked as "Godfather" resurfacing after a hiatus, with advanced new obfuscation and anti-detection features. Cyble cyber-researchers found the malware masquerading as legitimate software on the Google Play store.
Those two malware variants are barely even the tip of the iceberg. A Kaspersky analysis showed that some 200,000 new banking trojans surfaced in 2022, representing a 100% increase over 2021.