The issue of security has recently become increasingly relevant in the online environment. This is because even relatively trustworthy tools providing password management often fall victim to hacker attacks. In many cases, attackers do not even bother to develop their own instruments from scratch, but use ready-made solutions based on, for example, the MaaS model, which can be deployed in various forms and whose purpose is online monitoring and data evaluation. However, in the hands of an aggressor, it serves to infect devices and distribute its own malicious content. Security experts managed to discover the use of such a MaaS called Nexus, which aims to obtain banking information from devices with Android using a Trojan horse.
Company Cleafy dealing with cyber security analyzed the modus operandi of the Nexus system using sample data from underground forums in cooperation with the server TechRadar. This botnet, i.e. a network of compromised devices that are then controlled by an attacker, was first identified in June last year and allows its clients to carry out ATO attacks, short for Account Takeover, for a monthly fee of US$3. Nexus infiltrates your system device Android masquerading as a legitimate app that may be available in often dubious third-party app stores and packing a not-so-friendly bonus in the form of a Trojan horse. Once infected, the victim's device becomes part of the botnet.
Gallery
Nexus is a powerful malware that can record login credentials to various applications using keylogging, basically spying on your keyboard. However, it is also capable of stealing two-factor authentication codes delivered via SMS and informace from the otherwise relatively secure Google Authenticator app. All this without your knowledge. Malware can delete SMS messages after stealing codes, automatically update them in the background, or even distribute other malware. A real security nightmare.
Since the victim's devices are part of the botnet, threat actors using the Nexus system can remotely monitor all the bots, the infected devices and the data obtained from them, using a simple web panel. The interface reportedly allows system customization and supports the remote injection of approximately 450 legitimate-looking banking application login pages to steal data.
You could be interested in
Technically, Nexus is an evolution of the SOVA banking trojan from mid-2021. According to Cleafy, it looks like the SOVA source code was stolen by a botnet operator Android, which leased legacy MaaS. The entity running Nexus used parts of this stolen source code and then added other dangerous elements, such as a ransomware module capable of locking your device using AES encryption, although this does not appear to be currently active.
Nexus therefore shares commands and control protocols with its infamous predecessor, including ignoring devices in the same countries that were on the SOVA whitelist. Thus, hardware operating in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia is ignored even if the tool is installed. Most of these countries are members of the Commonwealth of Independent States established after the collapse of the Soviet Union.
Gallery
Since the malware is in the nature of a Trojan horse, its detection may be on the system device Android quite demanding. A possible warning might be seeing unusual spikes in mobile data and Wi-Fi usage, which usually indicate that the malware is communicating with the hacker's device or updating in the background. Another clue is abnormal battery drain when the device is not actively being used. If you encounter any of these issues, it's a good idea to start thinking about backing up your important data and resetting your device to factory settings or contacting a qualified security professional.
To protect yourself from dangerous malware like Nexus, always download apps from trusted sources like the Google Play Store, make sure you have the latest updates installed, and only grant apps the permissions necessary to run them. Cleafy has yet to reveal the extent of the Nexus botnet, but these days it's always better to be safe than sorry.
