Cleafy, a cybersecurity firm, has warned of a new Android banking trojan named Nexus, which has been used in attacks against 450 financial applications.
The Nexus ransomware was first analyzed in early March by researchers from threat intelligence firm Cyble, but Cleafy’s Threat Intelligence & Response Team reported detecting the first Nexus infections in June 2022, months before the malware-as-a-service (MaaS) was publicly advertised.
Nexus is available for rent at a price of $3,000 per month and is advertised on underground forums or private channels, including Telegram, since January 2023.
Despite being used in multiple campaigns, experts believe that the Nexus Trojan is in the early stages of development.
Nexus has been entirely written from scratch, but researchers have found similarities between Nexus and the SOVA banking trojan, which appeared on the threat landscape in August 2021.
The Nexus Trojan is capable of targeting multiple banking and cryptocurrency services and supporting features to bypass two-factor authentication (2FA) using Android’s accessibility services.
Nexus relies on overlay attacks and keylogging features to capture customers’ credentials and supports a mechanism for auto-update. It also provides a built-in list of injections against 450 financial applications, making it a significant threat to customers’ accounts.
The analysis of various samples revealed that the malware is equipped with encryption capabilities which appear to be under development due to the presence of debugging strings and the lack of usage references. Nexus does not infect systems located in Russia and CIS countries like other malware.
