Italian cybersecurity company, Cleafy, has uncovered Nexus Android Trojan that can hijack online accounts and withdraw funds from them. Nexus has been found to target customers from 450 banks and cryptocurrency services worldwide.
It was first observed in June 2022 as a variant of another Android banking Trojan called SOVA. Since then, Nexus has improved its targeting capabilities and is available via a malware-as-a-service program for $3000 per month. The malware allows other attackers to rent or subscribe to it for personal attacks.
According to a report by Cleafy, multiple campaigns are active worldwide, confirming that multiple threat actors are already using this thread to conduct fraudulent campaigns. Nexus employs several techniques for account takeover, including performing overlay attacks and logging keystrokes to steal user credentials.
When a customer of a targeted banking or cryptocurrency app uses their compromised Android device, Nexus redirects them to a page masquerading as a genuine app login page and grabs the victim’s credentials using an embedded keylogger.
How does Nexus Android Trojan work?
Like many banking Trojans, Nexus Android Trojan can gain access to online accounts by intercepting two-factor authentication codes from an SMS. The Trojan was also found to be stealing seeds and balance information from cryptocurrency wallets, cookies from targeted websites, and two-factor codes of Google’s Authenticator app using Android’s “Accessibility services” features.
Cleafy discovered that Nexus Android Trojan has developed newer capabilities, including abilities to delete received authentication SMS messages, stop or activate the module for stealing Google Authenticator 2FA codes, and periodically check its own command-and-control server for updates and automatically install any that might become available.
Despite its versatility for account takeovers and global reach, Cleafy designates Nexus Android Trojan to still be a “work in progress.” This is mainly due to the presence of debugging strings and the lack of usage references in certain modules of the malware.
The relatively high number of logging messages in the code suggests inadequate tracking and reporting of malware actions. Additionally, the current version of the malware does not sport a Virtual Network Computing (VNC) module for a complete remote-control takeover of a Nexus-infected device. The VNC module allows threat actors to perform on-device fraud, which is one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily.
A module still under development, as observed by Cleafy, seems to have encryption capabilities mostly for obfuscation purposes after a complete account takeover.
Overall, Nexus Android Trojan is a dangerous trojan that has already been used in multiple fraudulent campaigns. While the malware is still a work in progress, it has already shown its capabilities for account takeovers and global reach, making it a serious threat to mobile banking and cryptocurrency users.
Nowadays, especially with the increasing prevalence of digital currencies, it is very important to protect yourself from such viruses and trojans. Recently, the popular YouTube channel Linus Tech Tips was hacked and the hackers tried to make some kind of crypto scam using a photo of Elon Musk.
