A threat actor is targeting
customers of 450 banks and cryptocurrency services worldwide with a dangerous
Android trojan that has multiple features for hijacking online accounts and
potentially siphoning funds out of them.
The authors of the so-called “Nexus” Android Trojan have
made the malware available to other threat actors via a newly announced
malware-as-a-service (MaaS) program, where individuals and groups can rent or
subscribe to the malware and use it in their own attacks.
Researchers at Italian cybersecurity firm Cleafy first spotted
Nexus last June, but at the time assessed it to be a rapidly evolving variant of another
Android banking Trojan they were tracking as “Sova.. The malware contained
several chunks of Sova code and had capabilities at the time for targeting more
than 200 mobile banking, cryptocurrency and other financial apps. Cleafy
researchers observed what they assumed was the Sova variant hidden in fake apps
with logos that suggested they were Amazon, Chrome, NFT and other trusted apps.
But in January, Cleafy researchers spotted the malware—now more
evolved—surfacing on multiple hacking forums under the name Nexus. Shortly
thereafter, the malware authors began making the malware available to other
threat actors via its new MaaS program for the relatively price of $3,000 a
month.
Federico Valentini, head of Cleafy’s threat intelligence team,
says it’s unclear how threat actors are delivering Nexus on Android devices. “We didn’t have access to specific details on Nexus’s initial infection
vector, as our research was mainly focused on analyzing its behavior and
capabilities,” Valentini says. “However, based on our experience and
knowledge of similar malware, it is common for banking trojans to be delivered
through social engineering schemes such as smishing,” he says referring to
phishing via SMS text messages.
Multiple Features for Account Takeover
Cleafy’s analysis of Nexus showed the malware to contain several features for enabling account takeover. Among them is a function for performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a target banking or cryptocurrency app, for instance, attempts to access their account using a compromised Android device, Nexus serves up a page that looks and functions exactly like the login page for the real app. The malware then uses its keylogging feature to grab the victim’s credentials as entered in the login page.
Like many banking Trojans, Nexus can intercept SMS messages to grab two-factor authentication codes for accessing online accounts. Cleafy found Nexus capable of abusing Android’s Accessibility Services feature to steal seeds and balance information from cryptocurrency wallets, cookies from websites of interest, and two-factor codes of Google’s Authenticator app.
The malware authors also appear to have added new functionalities to Nexus that were not present in the version that Cleafy observed last year and initially assumed was a Sova variant. One of them is a feature that quietly deletes received SMS two-factor authentication messages and another is a function for stopping or activating the module for stealing Google Authenticator 2FA codes. The latest Nexus variant also has a function for periodically checking its command-and-control server (C2) for updates and for automatically installing any that might become available. A module that appears to be still under development suggests that the authors might implement an encryption capability in the malware, most likely to obfuscate its tracks after completing an account takeover.
Nexus: A Work in Progress?
Valentini says Cleafy’s research
suggests that Nexus has compromised potentially hundreds of systems. “What’s particularly noteworthy is that the victims do not appear to be
concentrated in a particular geographical region but are well distributed
globally.”
Despite the malware’s many functions for taking over online
financial accounts, Cleafy’s researchers assessed Nexus to still be a
work-in-progress. One indication, according to the security vendor, is the
presence of debugging strings and the lack of usage references in certain
modules of the malware. Another giveaway is the relatively high number of
logging messages in the code which suggest the authors are still in the process
of tracking and reporting on all actions the malware performs, Cleafy said.
Notably, the malware in its present avatar does not include a
Virtual Network Computing, or VNC, module that would give the attacker a way to
take complete remote control of a Nexus-infected device. “The VNC module
allows threat actors to perform on-device fraud, one of the most dangerous
types of fraud since money transfers are initiated from the same device used by
victims daily.”
One of Many Android Banking Trojans
Nexus is one of several Android banking trojans that have surfaced just over the past few months and have added to the already large number of similar tools in the wild currently. Earlier this month for instance, researchers from Cyble reported observing new Android malware dubbed GoatRAT targeting a recently introduced mobile automated payment system in Brazil. In December 2022, Cyble spotted another Android banking trojan tracked as “Godfather” resurfacing after a hiatus, with advanced new obfuscation and anti-detection features. Cyble cyber-researchers found the malware masquerading as legitimate software on the Google Play store.
Those two malware variants are barely even the tip of the iceberg. A Kaspersky analysis showed that some 200,000 new banking trojans surfaced in 2022, representing a 100% increase over 2021.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- Platoblockchain. Web3 Metaverse Intelligence. Knowledge Amplified. Access Here.
- Source: https://www.darkreading.com/mobile/new-android-malware-targets-customers-of-450-financial-institutions-worldwide
