A Trojan malware dubbed Nexus has emerged as the newest threat to the Android banking sector and has been inculcated by multiple threat actors. The target has been over 450 financial apps with the intent to commit financial fraud.
Cleafy, an Italian firm mainly into cybersecurity, in its report published over weeks, has observed that Nexus was in its earlier developmental stages, indicating that it could emerge as a greater threat over time.
The firm said that Nexus had provided the basic features that helped in the account takeover attacks (ATO) against the cryptocurrency services and the banking portals. The crimes initiated include SMS interception and credential stealing.
The Trojan has made its presence felt in multiple hacking forums starting this year. it advertised itself to clients as a subscription package with a $3,000 monthly fee. The malware details were initially recorded by Cyble at the beginning of March.
But there is evidence that the Nexus malware was used for real-time attacks even back in June last year. That was 6 months before Nexus was officially announced on the dark net portal.
There is also an indication that it overlaps with SOVA, another trojan targeting the banking sector. It has relied partly on the source code and added a ransomware component to it. This module is being actively developed and has undergone various changes since it was first detected. Cleafy had initially classified it as a fresh variant of an earlier version of a Trojan, SOVA, also referred to as v5 in August 2022.
Nexus Creators Have Explicitly Forbidden Use Of The Malware In Certain Countries
An interesting point is that the authors of Nexus have explicitly forbidden users of the malware from using it in some countries. They include Russia, Ukraine, Uzbekistan, Armenia, Indonesia, etc. They can take control of accounts in the cryptocurrency and banking services and perform key-logging and overlay attacks. They then steal the credentials of the account holders.
