top of page

Emerging Android Banking Trojan - Nexus

The Nexus Banking Trojan has been making headlines lately for its sophisticated capabilities and for being adopted by several threat actors. This trojan is capable of targeting 450 financial applications and conducting fraud. It is important to note that this malware is still in its early stages of development. Nexus provides all the main features needed to perform an Account Takeover (ATO) attack against banking portals and cryptocurrency services. This includes stealing credentials and intercepting SMS messages. The trojan first appeared on various hacking forums at the start of the year and is advertised as a subscription service. The monthly fee for this service is $3,000. Although details of the malware were first documented by Cyble earlier this month, there are indications that the malware may have been used in real-world attacks as early as June 2022. This is six months before its official announcement on darknet portals. A majority of the Nexus infections have been reported in Turkey. It's also said to overlap with another banking trojan called SOVA. This is because Nexus reuses parts of SOVA's source code and incorporates a ransomware module that appears to be under active development. Security researcher Rohit Bansal (@0xrb) has confirmed that Nexus is the same malware that Cleafy initially classified as a new variant of SOVA (dubbed v5) back in August 2022. This is yet another example of how quickly this malware is evolving. It is important for businesses and individuals to keep a close eye on this trojan and to implement proper security measures to protect themselves from being targeted.


bottom of page