A new banking trojan for Android called Nexus that targets 450 financial apps is being sold on hacker forums.
Analysts of an Italian cyber security firm Cleafy they say that Nexus is in the early stages of development, but despite that, it is already being used by several criminal groups.
At the beginning of the year, the Trojan began to be advertised on hacker forums, where a subscription model is offered that costs $3,000 per month. However, there are indications that the malware was used in attacks as early as June of last year, at least six months before its official publication on dark web portals.
Most of the Nexus infections were reported in Turkey. Interestingly, the authors of Nexus have set explicit restrictions that prohibit the use of malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.
Analysts say that the Nexus code overlaps with the code of another banking trojan known as SOVA, that parts of its source code are used, and that the malware also has a ransomware module that appears to be under active development.
Interestingly, Cleafy originally, in August 2022, classified Nexus as a new variant of SOVA (called v5).
The malware, like other banking trojans, has a function for taking over accounts for e-banking and crypto services by performing overlapping attacks, and a keylogging function thanks to which the trojan can steal user credentials. Nexus can read two-factor authentication (2FA) codes from text messages and the Google Authenticator app by abusing Android’s accessibility services. The malware can also scavenge received SMS messages, enable or disable the 2FA theft module, and update itself by periodically pinging the Command and Control (C2) server.
“The Malware-as-a-Service model allows criminals to more efficiently monetize their malware by providing off-the-shelf infrastructure to their clients, who can then use the malware to attack their targets,” the researchers said.
Illustration: Cleafy
Source: Informacija.rs by www.informacija.rs.
*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!
