Staying safe online feels like it’s more challenging by the passing day, with even reputablepassword managers falling preyto hackers. Bad actors who cannot be bothered to develop their own utilities from scratch can even use turnkey solutions like MaaS (malware as a service) to infect devices and distribute a custom, nefarious payload. Security researchers have discovered the resurgence of one such MaaS called Nexus, designed to capture banking information from your Android device using a trojan.
Cybersecurity firmCleafyanalyzed Nexus’s modus operandi using sample data from underground forums (viaTechRadar). This botnet was first identified in June last year, and it lets its clients perform account takeover (ATO) attacks for a $3,000 monthly fee. Nexus makes inroads into your Android device disguised as a legitimate app packing a malicious trojan on shady third-party Android app stores. Once infected, the victim’s devices becomes a part of the botnet controlled by the hacker.
Nexus Android botnet advertised for rent on an underground forum
Nexus is powerful malware, capable of keylogging to record your login credentials in various apps. It can also steal SMS-delivered two-factor authentication (2FA) codes and information from the comparatively secureGoogle Authenticator app, all without your knowledge. The malware can delete 2FA SMS after stealing the codes, auto-update in the background, and distribute additional malware as well — just a nightmare, all around.
Screenshots of the Nexus web panel
Since victim devices are a part of the botnet, threat actors employing Nexus can use a simple web panel to monitor all the bots (infected devices) remotely and the data harvested from them. The interface reportedly allows customization of Nexus and supports remote injection of around 450 legitimate-looking banking app login pages to steal credentials.
Technically, Nexus is an evolution of the SOVA banking trojan from mid-2021. Although Cleafy says the former still appears to be in beta development, SOVA’s source code was stolen by an Android botnet operator (talk about ethics among thieves) who rented the popular, older MaaS. The entity operating Nexus has used chunks of this stolen source code, and then added dangerous elements like a ransomware module capable of locking you out of your device with AES encryption — although that bit appears to be inactive at present.
Commands shared between Nexus and SOVA
As a result, Nexus shares commands and control protocols with its infamous predecessor, including ignoring devices in the same whitelisted countries SOVA does — hardware operating in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia is ignored, even if the trojan is installed. You may notice most of these countries are members of the Commonwealth of Independent States (CIS).
Because of the malware’s trojan-like nature, detecting it on an Android device could be challenging. Possible red flags could be seeing things abnormal spikes in mobile data and Wi-Fi usage, usually indicative of malware communicating with the hacker’s device or updating in the background. Abnormal battery drain when the device isn’t in active use could also be a telltale sign of background activity stemming from a malware. If you discover any of these issues, we suggest factory resetting your device after backing up important files, or contacting a qualified cybersecurity expert.
To keep your Android devices safe from dangerous malware like Nexus, always download apps from reputable sources like the Google Play Store. Also ensure you’re running the latest available security patch and only granting apps permissions essential for their operation — an image gallery app shouldn’t need access to your call logs.
Cleafy hasn’t revealed just how widespread the Nexus botnet is, but in this day and age, you can never be too cautious.
