(Image credit: iStock)
A recently found Android banking trojan called Nexus has already been used by several threat actors to access 450 financial apps and steal data. Security experts at the Italian cybersecurity company Cleafy said that although this malware has been identified, it is still in the early phases of development.
However, because this malware has all the necessary characteristics, ATO attacks against banking portals and cryptocurrency service providers can be carried out using it.
In June 2022, Cleafy identified the "Nexus" banking Trojan, a novel Android malware. Although Cleafy initially believed Nexus to be a highly dynamic variant of the previously monitored Trojan known as "Sova," further investigation showed Nexus to have its own characteristics and abilities.
The malware was found to have combined numerous pieces of Sova code at the moment of detection. Furthermore, it showed a wide range of capabilities that enabled it to attack more than 200 mobile banking, cryptocurrency, and other financial applications.
Cybersecurity company Cyble reported the appearance of this new malware in several hacking communities earlier this month. Therefore, the threat actors who created this malware advertised it to prospective customers as a subscription service with a monthly cost of $3,000 in their advertisements.
There was proof of the malware's use in real attacks as early as June 2022, or at least six months before the malware was made public. According to reports, Turkey is where the majority of Nexus attacks take place. In addition, it appears to contain a ransomware module that is actively being developed and reuses components of the SOVA banking trojan.
It's noteworthy that the creators of Nexus have explicitly stated that the following nations will not be the target of their malware:
- Azerbaijan
- Armenia
- Belarus
- Kazakhstan
- Kyrgyzstan
- Moldova
- Russia
- Tajikistan
- Uzbekistan
- Ukraine
- Indonesia
In addition, malware can extract 2FA codes from SMS messages and Google Authenticator apps by abusing Android's accessibility service.
Here is a summary of some newly updated and added functionalities:
- Delete SMS messages that you've gotten
- Either turn on or off the 2FA stealer mechanism.
- Occasionally ping a C2 (Command and Control) server to update itself.
By providing clients with pre-built infrastructure, the MaaS strategy enables threat actors to streamline their efforts in producing revenue from malware.
Nexus's action range and capabilities are presently limited in the absence of a VNC module. According to the infection rate calculated from several C2 panels, Nexus is a threat that has the potential to affect hundreds of devices worldwide.
Please do not enter any spam link in the comment box.