Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering.
Image: Adobe Stock

Nexus malware is an Android banking trojan promoted via a malware-as-a-service model. The malware has been advertised on several underground cybercrime forums since January 2023, as reported in new research from Cleafy, an Italian-based cybersecurity solutions provider.

In an underground cybercrime forum ad, the malware project is described as “very new” and “under continuous development.” More messages from the Nexus author in one forum thread indicate the malware code has been created from scratch. An interesting note: The authors forbid the use of the malware in Russia and in the Commonwealth of Independent States countries.

Jump to:

Potential impact of Nexus Android malware

The number of Nexus control servers is growing and the threat is increasing. According to Cleafy Labs, more than 16 servers were found in 2023 to control Nexus, probably used by several affiliates of the MaaS program.

As stated by Cleafy researchers, “the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.”

Nexus is sold for $3,000 USD per month through a MaaS subscription, which makes it an interesting opportunity for cybercriminals who do not have the expertise to develop malware or crypt it so that it bypasses antivirus solutions.

Nexus Android malware technical analysis

Nexus malware runs on Android operating systems and has several functionalities of interest to cybercriminals.

Account takeover attacks can be accomplished using Nexus malware. Nexus has a comprehensive list of 450 financial application login pages for grabbing users’ credentials. It is also able to perform overlay attacks and keylog users’ activities.

Overlay attacks are very popular on mobile banking trojans. They involve placing a window on top of a legitimate application to ask the user for credentials so they can be stolen. Overlay attacks can also steal cookies from specific sites, typically for session cookie abuse. In addition, Nexus Android malware can steal information from crypto wallets.

SEE: Mobile device security policy (TechRepublic Premium)

The malware has SMS interception capabilities, which can be used to bypass two-factor authentication, grabbing security codes that are sent to the victim’s mobile phone. Nexus can also grab 2FA codes for the Google Authenticator application.

By comparing the code of two different Nexus binaries from September 2022 and March 2023, Cleafy researchers found that the malware’s developer is still actively working on it. New features have appeared, such as the ability to remove a received SMS on the victim’s mobile phone or activate/deactivate 2FA-stealing capabilities from the malware.

Nexus malware regularly updates itself by checking a C2 server for the last version number. If the received value does not match the current one, the malware automatically launches its update.

Cleafy Labs indicated that encryption capabilities were found in various Nexus samples, yet it seems those capabilities are still under development and not yet used. While this code might be part of an effort to produce ransomware code, researchers estimated that it may result from bad cut-and-paste activities involved in many parts of the code. It might also be in ongoing development for a destructive capability to render the OS useless after it’s used for criminal activities.

As stated by Cleafy Labs, it is “hard to think about a ransomware modus operandi on mobile devices since most information stored is synced with cloud services and easily recoverable.”

Nexus Android web panel

Attackers control all the malware installed on victims’ mobile phones using a web control panel. The panel reveals 450 financial targets and offers the possibility for skilled attackers to create more custom injection code to target additional applications.

That panel enables attackers to see the status of all infected devices and get statistics about the number of infected devices. They can also collect data stolen from the devices such as login credentials, cookies, credit card information and more sensitive information. All of that information can be obtained from the interface and saved for fraudulent usage.

In addition, the web panel contains a builder that can be used to create custom configurations for Nexus malware.

Similarities to SOVA Android banking malware

Careful malware analysis done by Cleafy Labs has revealed code similarities between Nexus samples and SOVA, another Android banking trojan that emerged in mid-2021. Although the author of Nexus claims it was developed from scratch, it is possible that code from SOVA has been reused.

SOVA’s developer, nicknamed “sovenok,” recently claimed an affiliate that was previously renting SOVA had stolen the whole source code of the project. They brought attention to another nickname, “Poison,” which seems to have ties with the Nexus malware project.

Most of the SOVA commands were reused in Nexus, and some functions were developed exactly the same way.

How to protect against this Nexus Android malware threat

As the initial vector of infection is unknown, it is important to try to protect from malware infection at every level on Android smartphones:

  • Deploy a mobile device management solution: This allows you to remotely manage and control corporate devices, including installing security updates and enforcing security policies.
  • Use reputable antivirus software: Also keep the OS and all software fully up to date and patched to avoid compromises by common vulnerabilities.
  • Avoid unknown stores: Unknown stores typically have no malware detection processes, unlike official mobile software stores. Remind all users not to install software that comes from untrusted sources.
  • Carefully check requested permissions when installing an app: Applications should only request permissions for necessary APIs; for example, a QR code scanner should not ask for permission to send SMS. Before installing an application, check what privileges it requires.
  • Educate employees about safe mobile device usage: Provide training to employees on how to recognize and avoid malicious apps, links and attachments and encourage them to report any suspicious activity.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday