Warning! Nexus Banking Trojan Can Steal 2FA Codes

A new Android banking Trojan called Nexus has been discovered, which has already been utilized by several cybercriminals to target approximately 450 financial apps and engage in fraudulent activities.

Cleafy, an Italian cybersecurity company, stated in a report released this week that Nexus appears to be in its early stages of development but has all the necessary features to conduct Account Takeover (ATO) assaults against banking portals and cryptocurrency services. For a monthly fee of $3,000, the Trojan is advertised as a subscription service for clients, and it was first documented by Cyble earlier this month. The malware may have been used in actual attacks as early as June 2022, despite being officially announced on darknet portals six months later.

According to Rohit Bansal, a security researcher, and the malware authors in their Telegram channel, the majority of Nexus infections have been reported in Turkey. Interestingly, the Nexus creators have imposed explicit regulations prohibiting the use of their malware in several countries, including Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

The malware has typical banking trojan features, such as overlay attacks and keylogging, to hijack accounts linked to banking and cryptocurrency services by stealing users' credentials. Additionally, it has the ability to read two-factor authentication (2FA) codes from SMS messages and Google Authenticator app using Android's accessibility services. It can also remove SMS messages, activate or disable the 2FA stealer module, and update itself by pinging a command-and-control (C2) server at regular intervals, among other new functions.

How Do Most Banking Trojans Work?

Most banking trojans are designed to infiltrate a victim's computer or mobile device and steal sensitive financial information such as login credentials, credit card numbers, and other banking details. They typically operate by utilizing several tactics, including phishing attacks, malicious attachments, and infected software downloads.

Once installed, the trojan will often lie in wait, collecting data on the user's banking activities and other sensitive information, such as email addresses and passwords. Many banking trojans are also capable of hijacking web sessions, which allows the attacker to take control of the victim's online banking activities.

Some banking trojans have more advanced features such as keystroke logging, screen capturing, and overlay attacks. A keystroke logger records all keystrokes entered on the keyboard, which could include login credentials and other sensitive information. A screen capture function allows the attacker to record the user's computer screen, while an overlay attack involves creating a fake login page that is superimposed on top of a legitimate banking website.

Overall, the main goal of most banking trojans is to gain unauthorized access to victims' banking accounts and steal their money. It is important to remain vigilant when it comes to online security, and to take steps to protect your devices and personal information.