Learn shield your group and customers from this Android banking trojan.
Image: Adobe Stock
Nexus malware is an Android banking trojan promoted by way of a malware-as-a-service mannequin. The malware has been marketed on a number of underground cybercrime boards since January 2023, as reported in new analysis from Cleafy, an Italian-based cybersecurity options supplier.
In an underground cybercrime discussion board advert, the malware mission is described as “very new” and “under continuous development.” More messages from the Nexus writer in a single discussion board thread point out the malware code has been created from scratch. An fascinating observe: The authors forbid the usage of the malware in Russia and within the Commonwealth of Independent States international locations.
Jump to:
Potential affect of Nexus Android malware
The variety of Nexus management servers is rising and the risk is rising. According to Cleafy Labs, greater than 16 servers had been present in 2023 to manage Nexus, in all probability utilized by a number of associates of the MaaS program.
Must-read safety protection
As said by Cleafy researchers, “the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.”
Nexus is bought for $3,000 USD per 30 days by a MaaS subscription, which makes it an fascinating alternative for cybercriminals who do not need the experience to develop malware or crypt it in order that it bypasses antivirus options.
Nexus Android malware technical evaluation
Nexus malware runs on Android working programs and has a number of functionalities of curiosity to cybercriminals.
Account takeover assaults could be achieved utilizing Nexus malware. Nexus has a complete listing of 450 monetary software login pages for grabbing customers’ credentials. It can also be capable of carry out overlay assaults and keylog customers’ actions.
Overlay assaults are extremely popular on cellular banking trojans. They contain inserting a window on high of a legit software to ask the person for credentials to allow them to be stolen. Overlay assaults may steal cookies from particular websites, usually for session cookie abuse. In addition, Nexus Android malware can steal info from crypto wallets.
SEE: Mobile machine safety coverage (TechRepublic Premium)
The malware has SMS interception capabilities, which can be utilized to bypass two-factor authentication, grabbing safety codes which are despatched to the sufferer’s cell phone. Nexus may seize 2FA codes for the Google Authenticator software.
By evaluating the code of two totally different Nexus binaries from September 2022 and March 2023, Cleafy researchers discovered that the malware’s developer remains to be actively engaged on it. New options have appeared, resembling the flexibility to take away a acquired SMS on the sufferer’s cell phone or activate/deactivate 2FA-stealing capabilities from the malware.
Nexus malware usually updates itself by checking a C2 server for the final model quantity. If the acquired worth doesn’t match the present one, the malware robotically launches its replace.
Cleafy Labs indicated that encryption capabilities had been present in varied Nexus samples, but it appears these capabilities are nonetheless underneath improvement and never but used. While this code is likely to be a part of an effort to provide ransomware code, researchers estimated that it could consequence from unhealthy cut-and-paste actions concerned in lots of elements of the code. It may additionally be in ongoing improvement for a harmful functionality to render the OS ineffective after it’s used for prison actions.
As said by Cleafy Labs, it’s “hard to think about a ransomware modus operandi on mobile devices since most information stored is synced with cloud services and easily recoverable.”
Nexus Android internet panel
Attackers management all of the malware put in on victims’ cellphones utilizing an online management panel. The panel reveals 450 monetary targets and affords the likelihood for expert attackers to create extra customized injection code to focus on extra purposes.
That panel permits attackers to see the standing of all contaminated gadgets and get statistics in regards to the variety of contaminated gadgets. They may acquire knowledge stolen from the gadgets resembling login credentials, cookies, bank card info and extra delicate info. All of that info could be obtained from the interface and saved for fraudulent utilization.
In addition, the net panel accommodates a builder that can be utilized to create customized configurations for Nexus malware.
Similarities to SOVA Android banking malware
Careful malware evaluation performed by Cleafy Labs has revealed code similarities between Nexus samples and SOVA, one other Android banking trojan that emerged in mid-2021. Although the writer of Nexus claims it was developed from scratch, it’s doable that code from SOVA has been reused.
SOVA’s developer, nicknamed “sovenok,” not too long ago claimed an affiliate that was beforehand renting SOVA had stolen the entire supply code of the mission. They introduced consideration to a different nickname, “Poison,” which appears to have ties with the Nexus malware mission.
Most of the SOVA instructions had been reused in Nexus, and a few capabilities had been developed precisely the identical manner.
How to guard in opposition to this Nexus Android malware risk
As the preliminary vector of an infection is unknown, you will need to attempt to shield from malware an infection at each degree on Android smartphones:
Deploy a cellular machine administration resolution: This means that you can remotely handle and management company gadgets, together with putting in safety updates and imposing safety insurance policies.
Use respected antivirus software program: Also preserve the OS and all software program totally updated and patched to keep away from compromises by widespread vulnerabilities.
Avoid unknown shops: Unknown shops usually don’t have any malware detection processes, not like official cellular software program shops. Remind all customers to not set up software program that comes from untrusted sources.
Carefully test requested permissions when putting in an app: Applications ought to solely request permissions for mandatory APIs; for instance, a QR code scanner shouldn’t ask for permission to ship SMS. Before putting in an software, test what privileges it requires.
Educate staff about protected cellular machine utilization: Provide coaching to staff on acknowledge and keep away from malicious apps, hyperlinks and attachments and encourage them to report any suspicious exercise.
Disclosure: I work for Trend Micro, however the views expressed on this article are mine.