The recently evolved version of Nexus has targeted more than 450 banks and cryptocurrency services. Multiple threat actors are already found to be using Nexus to conduct fraudulent campaigns. Italian cybersecurity firm Cleafy has found “Nexus”, a new Android Trojan capable of hijacking online accounts and siphoning funds from them, to be targeting customers from 450 banks and cryptocurrency services worldwide.First observed in June 2022 as a variant of SOVA, another Android banking Trojan, Nexus has since improved targeting capabilities and is available via a malware-as-a-service (MaaS) program for $3000 a month, and allows other attackers to rent or subscribe to the malware for personal attacks.Multiple campaigns active worldwide confirm that multiple threat actors are already using this thread to conduct fraudulent campaigns, according to a Cleafy report. Nexus hacks android controls to steal user credentialsCleafy observed Nexus to be employing several techniques for account takeover. One such technique involves performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a targeted banking or cryptocurrency app uses his or her compromised android device, Nexus redirects them to a page masquerading as a genuine app login page and grabs the victim’s credentials using an embedded keylogger. Nexus, like many banking Trojans, can gain access to online accounts by grabbing two-factor authentication codes from an intercepted SMS. The Trojan was found to be stealing seeds and balance information from cryptocurrency wallets, cookies from targeted websites, and two-factor codes of Google’s Authenticator app using Android’s “Accessibility services” features.Cleafy found Nexus to have developed newer capabilities, which were absent in last year’s SOVA variant, including abilities to delete received authentication SMS messages, stop or activate the module for stealing Google Authenticator 2FA codes, and periodically check its own command-and-control server (C2) for updates and for automatically installing any that might become available. Modules have amateur giveaways, still striving for perfectionDespite its versatility for account takeovers and global reach, Cleafy designates Nexus to still be a “work in progress.” This is mainly due to the presence of debugging strings and the lack of usage references in certain modules of the malware.The relatively high number of logging messages in the code suggests inadequate tracking and reporting of malware actions. Moreover, the current version of the malware does not sport a Virtual Network Computing (VNC) module for a complete remote-control takeover of a Nexus-infected device.The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily, the report said.A module still under development, as observed by Cleafy, seems to have encryption capabilities mostly for obfuscation purposes after a complete account takeover. Related content opinion Employee discontent: Insider threat No. 1 CISOs who focus only on detection technology — and don’t engage with the human side of the security equation — are missing a key ingredient for insider risk management. By Christopher Burgess 21 May 2024 7 mins CSO and CISO Threat and Vulnerability Management Human Resources how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg 20 May 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman 20 May 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield 20 May 2024 8 mins Aerospace and Defense Industry CSO and CISO Military PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe