A banking Trojan for Android known as Nexus, which has recently appeared on the radar, is rapidly gaining popularity among attackers and is already being used by many different hacker groups. Reportedly, at least 450 financial applications around the world have already become victims of the Nexus attack.

Company representatives Cleary consider , that the malware is at an early stage of development, and will subsequently be finalized more than once. “Nexus provides all the basic functions for performing ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as stealing credentials and intercepting SMS,” the experts say.

The Trojan, which appeared on various hacker forums earlier this year, is advertised as a subscription service (MaaS) for a monthly fee of $3,000. Detailed information about malware was first documented company Cyble earlier this month. However, there are indications that the malware could have been used in real attacks as early as June 2022, at least six months before it was officially announced on the darknet sites.

Most infections with the Nexus Trojan were recorded in Turkey, however, the authors of the malware in their Telegram channel assure that Nexus clients did not arrange a targeted attack on Turkey for political or other reasons.

Initially, Nexus was classified as another variation of another banking Trojan – SOVA. And only after a while, the researchers realized that the new malware is simply based on the code of the old one, and also uses its ransomware module.

Interestingly, the authors of Nexus have laid out clear rules for their clients that prohibit the use of their malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia. This makes it clear that the authors of the malware are most likely natives of one of these countries themselves.

The Nexus malware, like many other banking trojans, contains functions to take over accounts by performing overlay attacks and registering keys. In addition, the Trojan is able to read two-factor authentication codes (2FA) from SMS messages and the Google Authenticator app by abusing Android accessibility services.

Some new additions to the list of features are the ability for Nexus to delete received SMS messages, activate or stop the 2FA stealing module, and update itself by periodically pinging C2 server.

“The MaaS model allows criminals to most effectively monetize their malware by providing customers with a ready-made infrastructure that can then be used to attack targets of their choice,” the researchers report.