An Android banking trojan called Nexus, advertised on a Russian cybercrime forum, can launch malware attacks on all Android versions up to the 13 and was still being worked on to include more features and capabilities.
Nexus malware was found to be distributed through phishing pages disguised as YouTube Vanced’s legitimate websites, including youtubeadvanced[.]net and youtubevanvedadw[.]net, found researchers at Cyble Research and Intelligence Labs (CRIL).
The malware’s code was analyzed and found to have similarities with the S.O.V.A banking trojan, which targets Android devices.
Nexus malware targets
Nexus malware targets banking apps to steal sensitive data from Android-based devices. Some of the banks were Finansbank Enpara, mBank, Ziraat bank, YKB, and VakifBank. A full list of links to the targeted banks can be seen below:
Most of the banks were headquartered in Turkey, the Togolese Republic, Spain, etc. Nexus was capable of stealing wallet information from specific banking apps including accessing Exodus wallets.
Nexus malware can exploit permissions and run its own commands including:
- startlock to lock the device screen
- getperm to work as an administrator
- stop2faactivator to disable 2FA activator
- starthidenpush to hide push notifications on the device
- getsms to steal SMSs from the device
- call to make calls
- gettrustwallet to steal Trust wallet data
- delbot to deactivate the admin and uninstall Nexus
The malware attack was launched on targets via phishing pages there were spoofed to look like the legitimate page of the now-defunct YouTube Vanced Android application. Researchers spotted the following cloned pages used to cheat targets:
- youtubeadvanced[.]net
- youtubevanvedadw[.]net
Nexus malware: A detailed analysis
“The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the victim grants this permission, the malware exploits the service to automatically approve requested permissions, enable device administration, and initiate keylogging activities,” said the CRIL report.
The URL hxxp://5.161.97[.]57:5000 was used as the Command and Control server and the package name was com.toss.soda. The SHA256 hash was 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f.
CRIL researchers warned users to inform the bank and then disable WiFi and/or mobile data and remove the sim card. They may need to perform a factory reset. Removing the banking application is also advisable for immediate mitigation.
Researchers found similarities between Nexus Android malware and the SOVA Android banking trojan that was discovered in 2021.
Nexus banking malware versus SOVA banking trojan
SOVA also had similar coding as Nexus, and it attacked Android versions 7 through 11. An advertisement in an XSS.is forum publicized SOVA with intention of making it capable of launching DDoS attacks and ransomware attacks.
The malware developers were planning to add Man in the Middle (MiTM) capabilities to the SOVA banking trojan. MiTM attacks generally target banking and e-commerce applications that require logging in.
In such attacks, the cybercriminal or developer of malware tries to interact with the target while posing as a legitimate executive or member of a team offering app-related help.
SOVA Android Trojan was in the cybersecurity news recently, when the Indian Computer Emergency Response Team (CERT-In) issued an alert that the country’s banking customers were being targeted by it.
The malware, which first appeared for sale in underground markets in September 2021, can harvest usernames and passwords, capture credentials when users log into their net banking apps, and prevent uninstallation by intercepting actions and returning the user to the home screen with a display: This app is secured.
“It has been discovered that the makers of SOVA recently upgraded it to its fifth version since its inception, and this version has the capability to encrypt all data on an Android phone and hold it to ransom,” said the official alert.
“Another key features of SOVA is the refactoring of its “protections” module, which aims to protect itself from different victim’s actions.”
