Nexus Android trojan is targeting financial apps and seizing bank accounts in its early stages of development. REUTERS/Kacper Pempel/Illustration

Cybercriminals are targeting 450 banking and financial apps with the help of a new Android banking trojan dubbed the Nexus banking trojan. Cybercriminals use a wide range of methods including trojans to target users around the world. Amid the growing rise of cyberattacks, VIPRE Security's John Trest recently urged companies to focus more on security awareness training.

To those unaware, a cyberattack alludes to a malicious attempt by an organisation or an individual to disrupt the victim's network for some type of benefit. For instance, US lawmakers have accused the Chinese government of using TikTok to collect data from 150 million American app users. However, it is unclear whether the US will be able to impose a nationwide ban on the video-sharing app.

The Nexus banking trojan is still reportedly in the early stage of development. However, Italian cybersecurity firm Cleafy claims it poses a serious threat to Android smartphone users. If an Android phone is infected with this malicious trojan, cybercriminals can take over the user's accounts. The trojan can steal the banking app's passwords. Aside from this, it can obstruct Google Authenticator codes and 2FA (two-factor authentication) codes sent via SMS as well.

To accomplish these tasks, the banking trojan manipulates Android's accessibility services. Threat intelligence firm Cyble shed some light on the recently surfaced Android banking trojan in a blog post earlier this month. The report explains how phishing pages that look like legitimate websites of the popular online video platform YouTube are distributing Nexus. The developers of the banking trojan are likely to improve it further although it already boasts alarming abilities.

MaaS (Malware-as-a-service)

The Nexus banking trojan was originally spotted on a Russian cybercrime forum. The forum described the trojan as a new project that works with Android versions up to Android 13. The inventors of the trojan are using a Malware-as-a-Service model to distribute it. In this model, hackers give other hackers access to the malware for a price.

According to a report by The Hacker News, the developers have restricted the trojan's use in selected countries. These include Indonesia, Ukraine, Uzbekistan, Tajikistan, Russia, Moldova, Kyrgyzstan, Kazakhstan, Belarus, Armenia, and Azerbaijan. Nexus uses overlay attacks to steal and clear victims' accounts. An overlay attack involves covering a legitimate banking app with a fake version.

When users go to log in to their accounts, the overlay records their usernames and password. Likewise, the Nexus Android banking trojan has a keylogger that can steal passwords that a user types in. It can even steal texts that are on autofill on their phone. The latest version of the trojan is capable of erasing text messages that arrive on the victim's device.

Aside from this, the Nexus' latest version can stop the infected device's 2FA stealer module and ping a C&C (cybercriminal-controlled command-and-control) server to update itself from time to time.

Staying safe from Android malware

There are a few things you can do to protect your device from Android malware such as the Nexus banking trojan. Avoid installing apps without going to the Google Play Store or the official app store. In other words, avoid sideloading apps. This method puts your Android phone at risk since details about the app's APK installation file are scarce. It may actually contain malware.

In addition to this, enable Google Play Protect on your Android phone to scan existing as well as new apps for malware. You can take it up a notch by installing an Android antivirus app. However, you are likely to download and install a malicious app even from official sources. So, it is recommended that you always do your research and read reviews before installing a new app.

Meanwhile, the creators of the Nexus banking trojan are earning a lot of money. So, they are likely to further develop the trojan and add new capabilities to it.