The trojan is capable of making stealthy phone calls and forwarding them, as well as altering contact information. It can also acquire this information through the Google Authenticator. Nexus' SMS-related functionalities allow it to obtain OTPs (One-Time Passwords) and 2FAs/MFAs (Two-Factor/Multi-Factor Authentications) sent by text. To elaborate, this malware can manipulate text messages by reading, intercepting, hiding, deleting, and sending them (to specific numbers or all contacts). Nexus can record keystrokes (keylogging) and manage SMSes, calls, and notifications. This trojan has other abilities that aid it in gaining control over banking accounts and other sensitive content. The fake overlay is triggered when the user interacts with the application in question, and once the log-in credentials are entered – the malware sends them to the attackers. It is basically the matching phishing page for a specific bank app. It first checks the list of applications installed on the system, and if a match is found – the appropriate HTML injection code is downloaded.
Nexus targets over forty popular banking applications. Nexus begins its operations by collecting device information, e.g., phone model, OS version, IMEI, Battery status, IP address (geolocation), Simcard ID, phone number, mobile network data, etc. The malware can prevent users from disabling the Android Accessibility Services, and it can deactivate Google Play Protect and various password security measures. Hence, when a malicious program abuses these services – it gains control over all their functionalities.Īfter the Accessibility Services are enabled, Nexus can escalate its privileges and grant itself any additional permissions.
These services are intended to provide additional aid for users that require it to use their devices.Īccessibility Services can variously interact with a machine, i.e., simulate the touchscreen, read the screen, select options, etc. However, Nexus has a variety of malicious functionalities and thus poses threats of an even broader scope.įollowing successful infiltration (typically under the guise of a real or legitimate-sounding app), Nexus requests users to enable the Android Accessibility Services.
banking trojan.Īs the classification implies, this malware primarily targets banking and finance related information. According to the research done by Cyble analysts, Nexus is the rebranded version of the S.O.V.A. Nexus is the name of a banking trojan targeting Android Operating Systems (OSes).
0 kommentar(er)
