For the Nexus malware, please write a short paragraph based on the given background and website info:

- the date of the first incident’s report

- How does it work,

- How one should protect his/her system against this malware

- If infected, how one can cope with that? Is there any solution?

 

 

Nexus malware is an Android banking trojan promoted via a malware-as-a-service model. The malware has been advertised on several underground cybercrime forums since January 2023, as reported in new research from Cleafy, an Italian-based cybersecurity solutions provider.

In an underground cybercrime forum ad, the malware project is described as “very new” and “under continuous development.” More messages from the Nexus author in one forum thread indicate the malware code has been created from scratch. An interesting note: The authors forbid the use of the malware in Russia and in the Commonwealth of Independent States countries.

Potential impact of Nexus Android malware

The trojan was initially announced in June 2022, but was active months before that. Starting January 2023, however, its authors started promoting it as a botnet, at $3,000 per month for a MaaS subscription.

Although still in development stages, the malware appears to be used by multiple threat actors, mainly in attacks aimed at taking over banking and cryptocurrency accounts. The threat can intercept SMS messages and steal credentials, targeting roughly 450 financial applications.

Nexus is promoted as a completely new trojan, but Cleafy identified connections with the Sova banking trojan that point at code reuse. In fact, Sova’s author has been claiming that Nexus’ developer is a former affiliate that rented the malware to steal its source code.

Cleafy also discovered that both malware families check for a device’s geographical location in a similar manner, that they both ignore devices located in the same countries, and that the two share API similarities related to command-and-control (C&C) communication.

The Nexus trojan appears specifically designed to conduct account takeover attacks: it can overlay on top of target applications, can log the victim’s key presses, can steal two-factor authentication (2FA) codes delivered via SMS, and can abuse Accessibility Services to steal crypto-wallet information, Google Authenticator 2FA codes, and browser cookies.

Between August 2022 and January 2023, the malware developers added to Nexus the ability to delete received SMS messages and a feature to enable and disable the 2FA stealer module.

https://www.securityweek.com/nexus-android-trojan-targets-450-financial-applications/

 

 

The number of Nexus control servers is growing and the threat is increasing. According to Cleafy Labs, more than 16 servers were found in 2023 to control Nexus, probably used by several affiliates of the MaaS program.

Nexus is sold for $3,000 USD per month through a MaaS subscription, which makes it an interesting opportunity for cybercriminals who do not have the expertise to develop malware or crypt it so that it bypasses antivirus solutions.

Nexus Android malware technical analysis

Nexus malware runs on Android operating systems and has several functionalities of interest to cybercriminals.

Account takeover attacks can be accomplished using Nexus malware. Nexus has a comprehensive list of 450 financial application login pages for grabbing users’ credentials. It is also able to perform overlay attacks and keylog users’ activities.

Overlay attacks are very popular on mobile banking trojans. They involve placing a window on top of a legitimate application to ask the user for credentials so they can be stolen. Overlay attacks can also steal cookies from specific sites, typically for session cookie abuse. In addition, Nexus Android malware can steal information from crypto wallets.