The developer of the Android botnet is rending out Nexus through a Malware-as-a-Service (MaaS) subscription for $3000 per month.
A recent detailed technical analysis by Cleafy security researchers warns users about a new Android banking botnet called Nexus that was introduced by an individual on various underground hacking forums in January 2023.
The malware developer claimed that Nexus was entirely coded from scratch and that it could be rented out through a Malware-as-a-Service (MaaS) subscription for $3000 per month.
MaaS is a business model employed by cybercriminals to rent or sell their malware to other parties, particularly those who lack the technical knowledge to develop their own malware. This model is widely used in the distribution of Android banking trojans, as malware authors leverage MaaS platforms to reach a broader audience.
Nexus is a banking Trojan that primarily targets banking applications installed on Android devices. Nexus contains all the main features to perform Account Takeover attacks (ATO) against banking apps from all over the world and cryptocurrency services.
It can perform overlay attacks, keylogging activities, and steal SMS messages to obtain two-factor authentication codes. Through the abuse of the Accessibility Services, Nexus can steal some information from crypto wallets, the 2FA codes of the Google Authenticator app, and the cookies from specific websites.
Nexus is also equipped with a mechanism for autonomous updating. It asynchronously checks against its C2 server for updates when the malware is running. If the value sent back from the C2 does not correspond to the one installed on the device, the malware starts the update process. Otherwise, it ignores the value and continues with all its routine activities.
The malware is distributed through a MaaS platform called “Nexus Botnet,” which allows attackers to customize and distribute the malware as per their needs. The platform offers various features, including control panel access, auto-update, and anti-analysis techniques, making it harder for security researchers to detect and mitigate the threat.
Despite its authors claiming that the source code was written entirely from scratch, some code similarity with SOVA, an Android banking trojan that emerged in mid-2021, suggests that they may have reused some parts of its internals.
The SOVA author, who operates under the alias “sovenok,” called out an affiliate who rented SOVA previously for stealing the entire source code of the project. This event could explain why parts of the SOVA source code have been passing through multiple banking trojans.
Nexus also contains a module equipped with encryption capabilities which point towards ransomware. However, the company clarified that the module appeared to be undergoing development due to the presence of debugging strings and the lack of useful references.
“At the time of writing, the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world. Because of that, we cannot exclude that it will be ready to take the stage in the next few months,” the advisory concluded.