Advisory ID: NCC-CSIRT-280323-017
Summary: Fraud Prevention firm, Cleafy have dubbed an Andriod banking Trojan named Nexus as a new botnet under the malware-as-a-service (MaaS) business model. Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception.
Vulnerable Platform(s): Android Operating Systems
Threat Type: Malware
Product : Android Banking Applications/ Cryptocurrency wallets
Version: All Versions
Description: The Nexus trojan is advertised as a subscription service to its clientele for a monthly fee of $3,000 per month for a malware-as-a-service (MaaS) subscription. Malware-as-a-Service (MaaS) subscription is a particular type of cybercrime in which malware creators or distributors provide their services to other criminals or individuals on a rental or subscription basis. Developers offer their services on underground forums or through private channels (e.g., Telegram), and their clients pay a fee to use the malware. The malware is installed in banking applications and cryptocurrency wallets by threat actors that users download on android mobile devices unknowingly. Once the malware is installed on a victim's device, it connects to its Command and Control(C2) server. This server is used by threat actors to remotely control the malware, issue commands, and receive stolen data. Nexus provides a C2 web panel that offers a centralized interface for managing the malware and the data it collects, making it easier for attackers to carry out their malicious activities. The malware is mainly aimed at taking over banking and cryptocurrency accounts by logging into the victim’s key presses, steal two-factor authentication (2FA) codes delivered via SMS, and abuse Accessibility Services to steal crypto-wallet information, Google Authenticator 2FA codes, and browser cookies. It is targeting roughly about 450 financial applications. Some new additions to the list of functionalities are its ability to remove received SMS messages, activate or stop the 2FA stealer module, and update itself by periodically pinging a C2 server.
Note that it contains some relations with the SOVA banking trojan which was published by the NCC-CSIRT with reference number NCC-CSIRT-0816-045 on 25 August 2022
Consquences: Account Takeover and stealing of two-factor authentication (2FA) codes delivered via SMS of banking portals and cryptocurrency wallets..
Impact/Probability: HIGH/HIGH
Solution :
- Do not click on any links in your email or text messages.
- Do not download malicious attachments or apps from your emails or text messages.
- Do the following to avoid downloading a malicious email/app/attachment. Only search for apps in the Google Play Store by checking for review and rating of any app downloaded, pay close attention to the search results, look at the apps icons, etc note that fake apps almost always use the icon from the app they're faking, Research the developer’s name and reputation by checking the products they have released Also, look at the app's download count and review. If the app has a lot of downloads going into millions to hundreds of thousand that’s a clue that it’s the right app.
- Always analyse the file type, check the context and sender address in emails. Also use anti-spam features to filter out potentially harmful emails then delete.
- Financial institutions should build a risk-based mobile security strategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.
- Always Patch and update software periodically from the OEMs site.
- Always use firewalls and security software, such as antimalware, antivirus and attachment scanner.
- Always use multifactor authentication.
References:
https://thehackernews.com/2023/03/nexus-new-rising-android-banking-trojan.html
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet
https://www.securityweek.com/nexus-android-trojan-targets-450-financial-applications/
https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them#:~:text=Good%20cyber%20hygiene%20practices%20that,Follow%20email%20best%20practices
https://www.tripwire.com/state-of-security/what-malware-service-maas#:~:text=Malware%20as%20a%20Service%20is,support%20by%20the%20MaaS%20owners.