Learn to shield your group and customers from this Android banking trojan.
Nexus malware is an Android banking trojan promoted by way of a malware-as-a-service mannequin. The malware has been marketed on a number of underground cybercrime boards since January 2023, as reported in new analysis from Cleafy, an Italian-based cybersecurity options supplier.
In an underground cybercrime discussion board advert, the malware challenge is described as “very new” and “beneath steady improvement.” Extra messages from the Nexus writer in a single discussion board thread point out the malware code has been created from scratch. An attention-grabbing notice: The authors forbid the usage of the malware in Russia and within the Commonwealth of Unbiased States nations.
Potential impression of Nexus Android malware
The variety of Nexus management servers is rising and the menace is rising. In response to Cleafy Labs, greater than 16 servers had been present in 2023 to regulate Nexus, in all probability utilized by a number of associates of the MaaS program.
As said by Cleafy researchers, “the absence of a VNC module limits its motion vary and its capabilities; nonetheless, in line with the an infection price retrieved from a number of C2 panels, Nexus is an actual menace that’s able to infecting lots of of units around the globe.”
Nexus is bought for $3,000 USD monthly by way of a MaaS subscription, which makes it an attention-grabbing alternative for cybercriminals who do not need the experience to develop malware or crypt it in order that it bypasses antivirus options.
Nexus Android malware technical evaluation
Nexus malware runs on Android working techniques and has a number of functionalities of curiosity to cybercriminals.
Account takeover assaults could be completed utilizing Nexus malware. Nexus has a complete checklist of 450 monetary utility login pages for grabbing customers’ credentials. It’s also in a position to carry out overlay assaults and keylog customers’ actions.
Overlay assaults are very fashionable on cellular banking trojans. They contain inserting a window on prime of a professional utility to ask the consumer for credentials to allow them to be stolen. Overlay assaults may steal cookies from particular websites, sometimes for session cookie abuse. As well as, Nexus Android malware can steal data from crypto wallets.
SEE: Cell machine safety coverage (TechRepublic Premium)
The malware has SMS interception capabilities, which can be utilized to bypass two-factor authentication, grabbing safety codes which might be despatched to the sufferer’s cell phone. Nexus may seize 2FA codes for the Google Authenticator utility.
By evaluating the code of two totally different Nexus binaries from September 2022 and March 2023, Cleafy researchers discovered that the malware’s developer continues to be actively engaged on it. New options have appeared, comparable to the flexibility to take away a obtained SMS on the sufferer’s cell phone or activate/deactivate 2FA-stealing capabilities from the malware.
Nexus malware frequently updates itself by checking a C2 server for the final model quantity. If the obtained worth doesn’t match the present one, the malware mechanically launches its replace.
Cleafy Labs indicated that encryption capabilities had been present in numerous Nexus samples, but it appears these capabilities are nonetheless beneath improvement and never but used. Whereas this code could be a part of an effort to supply ransomware code, researchers estimated that it could outcome from dangerous cut-and-paste actions concerned in lots of components of the code. It may additionally be in ongoing improvement for a harmful functionality to render the OS ineffective after it’s used for prison actions.
As said by Cleafy Labs, it’s “arduous to consider a ransomware modus operandi on cellular units since most data saved is synced with cloud providers and simply recoverable.”
Nexus Android internet panel
Attackers management all of the malware put in on victims’ cell phones utilizing an internet management panel. The panel reveals 450 monetary targets and affords the chance for expert attackers to create extra customized injection code to focus on further functions.
That panel permits attackers to see the standing of all contaminated units and get statistics concerning the variety of contaminated units. They’ll additionally acquire information stolen from the units comparable to login credentials, cookies, bank card data and extra delicate data. All of that data could be obtained from the interface and saved for fraudulent utilization.
As well as, the online panel accommodates a builder that can be utilized to create customized configurations for Nexus malware.
Similarities to SOVA Android banking malware
Cautious malware evaluation carried out by Cleafy Labs has revealed code similarities between Nexus samples and SOVA, one other Android banking trojan that emerged in mid-2021. Though the writer of Nexus claims it was developed from scratch, it’s doable that code from SOVA has been reused.
SOVA’s developer, nicknamed “sovenok,” not too long ago claimed an affiliate that was beforehand renting SOVA had stolen the entire supply code of the challenge. They introduced consideration to a different nickname, “Poison,” which appears to have ties with the Nexus malware challenge.
A lot of the SOVA instructions had been reused in Nexus, and a few features had been developed precisely the identical method.
Tips on how to shield in opposition to this Nexus Android malware menace
Because the preliminary vector of an infection is unknown, it is very important attempt to shield from malware an infection at each stage on Android smartphones:
- Deploy a cellular machine administration resolution: This lets you remotely handle and management company units, together with putting in safety updates and imposing safety insurance policies.
- Use respected antivirus software program: Additionally preserve the OS and all software program totally updated and patched to keep away from compromises by widespread vulnerabilities.
- Keep away from unknown shops: Unknown shops sometimes don’t have any malware detection processes, in contrast to official cellular software program shops. Remind all customers to not set up software program that comes from untrusted sources.
- Fastidiously verify requested permissions when putting in an app: Functions ought to solely request permissions for mandatory APIs; for instance, a QR code scanner mustn’t ask for permission to ship SMS. Earlier than putting in an utility, verify what privileges it requires.
- Educate workers about protected cellular machine utilization: Present coaching to workers on the right way to acknowledge and keep away from malicious apps, hyperlinks and attachments and encourage them to report any suspicious exercise.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.