The Nexus Android banking trojan is being promoted on underground forums as a new botnet, under the malware-as-a-service (MaaS) business model, according to fraud prevention firm Cleafy.
The trojan was initially announced in June 2022, but was active months before that. Starting January 2023, however, its authors started promoting it as a botnet, at $3,000 per month for a MaaS subscription.
Although still in development stages, the malware appears to be used by multiple threat actors, mainly in attacks aimed at taking over banking and cryptocurrency accounts. The threat can intercept SMS messages and steal credentials, targeting roughly 450 financial applications.
Nexus is promoted as a completely new trojan, but Cleafy identified connections with the Sova banking trojan that point at code reuse. In fact, Sova’s author has been claiming that Nexus’ developer is a former affiliate that rented the malware to steal its source code.
Cleafy also discovered that both malware families check for a device’s geographical location in a similar manner, that they both ignore devices located in the same countries, and that the two share API similarities related to command-and-control (C&C) communication.
The Nexus trojan appears specifically designed to conduct account takeover attacks: it can overlay on top of target applications, can log the victim’s key presses, can steal two-factor authentication (2FA) codes delivered via SMS, and can abuse Accessibility Services to steal crypto-wallet information, Google Authenticator 2FA codes, and browser cookies.
Between August 2022 and January 2023, the malware developers added to Nexus the ability to delete received SMS messages and a feature to enable and disable the 2FA stealer module.
The trojan’s developers also packed it with an auto-update mechanism and appear to be working on enabling encryption capabilities, either to hide its malicious activities on infected devices, or in preparation for a ransomware module, Cleafy says.
Nexus developers manage the malware and data collection operations from a centralized interface that provides information on infected devices and the botnet’s status, and allows them to create customized samples.
The panel also allows malware operators to create custom injections targeting the applications of 450 different financial institutions.
Related: Godfather Android Banking Trojan Targeting Over 400 Applications
Related: ‘Schoolyard Bully’ Android Trojan Targeted Facebook Credentials of 300,000 Users
Related: Hack-for-Hire Group Targets Android Users With Malicious VPN Apps

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
