December 6, 2023

Researchers spotted a new Android Trojan dubbed Nexus that is capable of hijacking online accounts and stealing from them, to be targeting customers from 450 banks and cryptocurrency services worldwide.

Nexus initial variant SOVA, found in 2022. Since then it is improved targeting capabilities and is available via a malware-as-a-service program for $3000 a month, and allows other attackers to rent or subscribe to the malware for personal attacks.

As observed by researchers, Nexus hacks android controls to steal user credentials. Nexus to be employing several techniques for account takeover.

  • It performs overlay attacks and logging keystrokes to steal user credentials. When a customer of a targeted banking or cryptocurrency app uses his or her compromised android device,
  • Nexus redirects them to a page masquerading as a genuine app login page and grabs the victim’s credentials using an embedded keylogger.

Nexus, gains access to online accounts by grabbing two-factor authentication codes from an intercepted SMS. The Trojan was found to be stealing seeds and balance information from cryptocurrency wallets, cookies from targeted websites, and two-factor codes of Google’s Authenticator app using Android’s “Accessibility services” features.


Nexus new capabilities include abilities to delete received authentication SMS messages, stop or activate the module for stealing Google Authenticator 2FA codes, and periodically check its own C2 for updates and for automatically installing any that might become available.

Nexus to still be a “work in progress”. This is mainly due to the presence of debugging strings and the lack of usage references in certain modules of the malware.

The current version of the malware does not sport a Virtual Network Computing (VNC) module for a complete remote-control takeover of a Nexus-infected device.


The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily.

A module still under development, seems to have encryption capabilities mostly for obfuscation purposes after a complete account takeover. Nexus is a real threat that is capable of infecting hundreds of devices around the world. Because of that, we cannot exclude that it will be ready to take the stage in the next few months.

This research was documented by researchers from Cleafy

Indicators of Compromise

  • d4c6871dbd078685cb138a499113d280

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.