Nexus Banking Trojan Linked to Older Sova Malware

The Android banking trojan, known as Nexus, has been identified by researchers at Cyble.

The malware was found to be a rebranded version of the S.O.V.A. banking trojan and targets primarily banking and finance-related information, but has a wide range of malicious functionalities. Once Nexus infiltrates a device, it requests permission to enable Android Accessibility Services, which grants the malware full control over the device. Nexus can escalate its privileges and disable password security measures and Google Play Protect.

The trojan collects device information and targets over 40 popular banking applications by downloading HTML injection code that creates a phishing page for each specific bank. Nexus has the ability to record keystrokes, manage SMS messages, calls, and notifications, and can obtain OTPs and 2FAs/MFAs sent by text or Google Authenticator. It can also make stealthy phone calls and alter contact information, and even manage external storage.

This trojan has the potential to cause chain infections and could potentially be modified to infect devices with additional malware.

What is a Banking Trojan and How Can it Get on Your Phone?

A banking trojan is a type of malware that is designed to steal sensitive information, such as login credentials and financial data, from banking and financial applications on a device. It typically works by tricking users into downloading and installing a fake or malicious application on their device, which then gives the trojan access to the device's sensitive information.

Banking trojans can get on your phone in a variety of ways, including through malicious apps, phishing emails or text messages, and by exploiting vulnerabilities in the operating system or other software on the device. They may also be disguised as legitimate apps or software updates, or may be hidden in files downloaded from untrustworthy websites.

Once a banking trojan is on your phone, it may request access to certain features or permissions, such as the Android Accessibility Services, which it can then use to gain control over your device and access your banking and financial information. It may also use various techniques, such as keylogging and phishing, to obtain your login credentials and other sensitive data.

To protect your device from banking trojans, it's important to only download apps from trusted sources such as the Google Play Store, and to be cautious when opening email attachments or clicking on links from unknown senders. You should also keep your device's operating system and software up-to-date with the latest security patches, and use reputable mobile security software to detect and remove any malware that may be present on your device.