Discover ways to defend your group and customers from this Android banking trojan.
Nexus malware is an Android banking trojan promoted through a malware-as-a-service mannequin. The malware has been marketed on a number of underground cybercrime boards since January 2023, as reported in new analysis from Cleafy, an Italian-based cybersecurity options supplier.
In an underground cybercrime discussion board advert, the malware mission is described as “very new” and “beneath steady improvement.” Extra messages from the Nexus creator in a single discussion board thread point out the malware code has been created from scratch. An fascinating notice: The authors forbid using the malware in Russia and within the Commonwealth of Impartial States nations.
Soar to:
Potential affect of Nexus Android malware
The variety of Nexus management servers is rising and the risk is growing. In accordance with Cleafy Labs, greater than 16 servers have been present in 2023 to manage Nexus, in all probability utilized by a number of associates of the MaaS program.
As acknowledged by Cleafy researchers, “the absence of a VNC module limits its motion vary and its capabilities; nonetheless, based on the an infection charge retrieved from a number of C2 panels, Nexus is an actual risk that’s able to infecting a whole lot of gadgets around the globe.”
Nexus is offered for $3,000 USD monthly by means of a MaaS subscription, which makes it an fascinating alternative for cybercriminals who don’t have the experience to develop malware or crypt it in order that it bypasses antivirus options.
Nexus Android malware technical evaluation
Nexus malware runs on Android working methods and has a number of functionalities of curiosity to cybercriminals.
Account takeover assaults may be achieved utilizing Nexus malware. Nexus has a complete checklist of 450 monetary software login pages for grabbing customers’ credentials. It’s also in a position to carry out overlay assaults and keylog customers’ actions.
Overlay assaults are very talked-about on cellular banking trojans. They contain inserting a window on prime of a legit software to ask the consumer for credentials to allow them to be stolen. Overlay assaults may steal cookies from particular websites, sometimes for session cookie abuse. As well as, Nexus Android malware can steal data from crypto wallets.
SEE: Cellular machine safety coverage (TechRepublic Premium)
The malware has SMS interception capabilities, which can be utilized to bypass two-factor authentication, grabbing safety codes which can be despatched to the sufferer’s cell phone. Nexus may seize 2FA codes for the Google Authenticator software.
By evaluating the code of two completely different Nexus binaries from September 2022 and March 2023, Cleafy researchers discovered that the malware’s developer remains to be actively engaged on it. New options have appeared, equivalent to the power to take away a acquired SMS on the sufferer’s cell phone or activate/deactivate 2FA-stealing capabilities from the malware.
Nexus malware usually updates itself by checking a C2 server for the final model quantity. If the acquired worth doesn’t match the present one, the malware routinely launches its replace.
Cleafy Labs indicated that encryption capabilities have been present in numerous Nexus samples, but it appears these capabilities are nonetheless beneath improvement and never but used. Whereas this code may be a part of an effort to supply ransomware code, researchers estimated that it might outcome from unhealthy cut-and-paste actions concerned in lots of components of the code. It may additionally be in ongoing improvement for a harmful functionality to render the OS ineffective after it’s used for prison actions.
As acknowledged by Cleafy Labs, it’s “laborious to consider a ransomware modus operandi on cellular gadgets since most data saved is synced with cloud companies and simply recoverable.”
Nexus Android internet panel
Attackers management all of the malware put in on victims’ cellphones utilizing an online management panel. The panel reveals 450 monetary targets and presents the chance for expert attackers to create extra customized injection code to focus on further purposes.
That panel permits attackers to see the standing of all contaminated gadgets and get statistics concerning the variety of contaminated gadgets. They’ll additionally accumulate knowledge stolen from the gadgets equivalent to login credentials, cookies, bank card data and extra delicate data. All of that data may be obtained from the interface and saved for fraudulent utilization.
As well as, the online panel accommodates a builder that can be utilized to create customized configurations for Nexus malware.
Similarities to SOVA Android banking malware
Cautious malware evaluation carried out by Cleafy Labs has revealed code similarities between Nexus samples and SOVA, one other Android banking trojan that emerged in mid-2021. Though the creator of Nexus claims it was developed from scratch, it’s doable that code from SOVA has been reused.
SOVA’s developer, nicknamed “sovenok,” not too long ago claimed an affiliate that was beforehand renting SOVA had stolen the entire supply code of the mission. They introduced consideration to a different nickname, “Poison,” which appears to have ties with the Nexus malware mission.
Many of the SOVA instructions have been reused in Nexus, and a few features have been developed precisely the identical approach.
Find out how to defend towards this Nexus Android malware risk
Because the preliminary vector of an infection is unknown, it is very important attempt to defend from malware an infection at each degree on Android smartphones:
- Deploy a cellular machine administration answer: This lets you remotely handle and management company gadgets, together with putting in safety updates and imposing safety insurance policies.
- Use respected antivirus software program: Additionally maintain the OS and all software program totally updated and patched to keep away from compromises by frequent vulnerabilities.
- Keep away from unknown shops: Unknown shops sometimes don’t have any malware detection processes, in contrast to official cellular software program shops. Remind all customers to not set up software program that comes from untrusted sources.
- Rigorously verify requested permissions when putting in an app: Functions ought to solely request permissions for mandatory APIs; for instance, a QR code scanner shouldn’t ask for permission to ship SMS. Earlier than putting in an software, verify what privileges it requires.
- Educate staff about protected cellular machine utilization: Present coaching to staff on learn how to acknowledge and keep away from malicious apps, hyperlinks and attachments and encourage them to report any suspicious exercise.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.