{
	"id": "f1a98892-b846-440f-bda4-70e8aca0dc96",
	"created_at": "2026-04-06T00:10:06.153528Z",
	"updated_at": "2026-04-10T13:12:25.907307Z",
	"deleted_at": null,
	"sha1_hash": "3e9df5878bbcac96d9280aeb7789e98313e08937",
	"title": "Nexus: a new Android botnet?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5497250,
	"plain_text": "Nexus: a new Android botnet?\r\nBy ,\r\nArchived: 2026-04-05 20:34:37 UTC\r\nKey point\r\nOn January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of\r\nNexus. However, Cleafy’s Threat Intelligence \u0026 Response Team traced the first Nexus infections way\r\nbefore the public announcement in June 2022.  \r\nNexus is promoted via a Malware-as-a-Service (MaaS) subscription a particular type of cybercrime in\r\nwhich malware creators or distributors provide their services to other criminals or individuals on a rental or\r\nsubscription basis.  Developers offer their services on underground forums or through private channels\r\n(e.g., Telegram), and their clients pay a fee to use the malware.\r\nNexus appears to be in its early stages of development (BETA). Multiple campaigns active worldwide\r\nconfirm that multiple TAs are already using this thread to conduct fraudulent campaigns.\r\nNexus provides all the main features to perform ATO attacks (Account Takeover) against banking\r\nportals and cryptocurrency services, such as credentials stealing and SMS interception. It also provides a\r\nbuilt-in list of injections against 450 financial applications.\r\nDespite Nexus being promoted as a brand-new malware, it contains some relations with the SOVA banking\r\ntrojan, suggesting that developers adopted and reused old developments.\r\nIntroduction\r\nAt the beginning of January 2023, a new Android banking botnet named Nexus was promoted by a user on\r\nmultiple underground hacking forums. The following image represents the original thread promoted by the author:\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 1 of 12\n\nFigure 1 - Nexus thread on a hacking forum\r\nFollowing the discussion, the authors claim that the source code of Nexus has been entirely written from scratch,\r\nbut it is still in its early development days. Despite this, the authors behind Nexus announced that it was already\r\navailable for rent at a steep price of $3000 per month through a MaaS subscription. MaaS stands for Malware-as-a-Service, and it is a model used in the cybercrime world to offer their malware for rent or sale to other TAs\r\nwho lack the technical expertise to develop their malware.\r\nThis model is prevalent in Android banking trojans, where malware authors use MaaS platforms to distribute\r\ntheir malware to a broader audience. The MaaS model allows criminals to monetize their malware more efficiently\r\nby providing a ready-made infrastructure to their customers, who can then use the malware to attack their targets.\r\nIt is common for MaaS providers to impose restrictions on the geographies where their customers can conduct\r\nattacks using rented or purchased malware. The Nexus authors, for example, have a \"code of conduct\" rule\r\nprohibiting using their malware in Russia and CIS countries.\r\nFigure 2 - Nexus code of conduct for customers\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 2 of 12\n\nPrevious activities and linking with SOVA\r\nDespite the official launch of the Nexus MaaS program on 27th January 2023, our internal telemetries identified\r\nprevious related activities behind this botnet, as shown in the following Figure:\r\nFigure 3 - Nexus activities (Cleafy telemetries)\r\nOn August 2022, during the analysis of those samples, technical indicators suggested some code similarity\r\nbetween Nexus samples and SOVA, an Android banking trojan emerged in mid-2021. At that time, it was\r\nconsidered a new variant of SOVA, as described in our previous blog article.\r\nDespite the new MaaS program launched under the name Nexus, the authors may have reused some parts of\r\nSOVA internals, to write new features (and rewrite some of the existing ones).\r\nRecently, the SOVA author, who operates under the alias “sovenok”, started sharing some insights on Nexus and\r\nits relationship with SOVA, calling out an affiliate who previously rented SOVA for stealing the entire source code\r\nof the project.\r\nFigure 4 - sovenok accusing other TAs of stealing SOVA source code\r\nThis event could explain why parts of the SOVA source code have been passing through multiple banking\r\ntrojans. In fact, sovenok identified another Android botnet that operates under the name of POISON, which he\r\nconsiders to be highly linked to Nexus:\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 3 of 12\n\nFigure 5 - ‘sovenok’ linking Nexus andPOISON banking trojans\r\nFocusing on technical indicators, the following Figure shows the overlap found between the commands on SOVA\r\nand Nexus. As a result, it appears that most of the SOVA commands (marked in green) were also reused on\r\nNexus:\r\nFigure 6 - Commands overlap between Nexus and SOVA\r\nAnother similarity between Nexus and SOVA is how geographic location is checked. Analyzing the bootstrap of\r\nthe infection, it was possible to discover that Nexus implements a function called preloadCheck() to identify if the\r\nvictim is actually in a country “allowed” to be attacked. If the check succeeds, it starts the infection chain.\r\nOtherwise, the application simply terminates the activity.\r\nFigure 7 - Checking the geographic location of the device\r\nCurrently, countries that are ignored are: AZ (Azerbaijan), AM (Armenia), BY (Belarus), KZ (Kazakhstan), KG\r\n(Kyrgyzstan), MD (Moldova), RU (Russian Federation), TJ (Tajikistan), UZ (Uzbekistan), UA (Ukraine), ID\r\n(Indonesia).\r\nFigure 8 - Excluded countries\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 4 of 12\n\nMoreover, another routine is deployed to discern if the victim is eligible to become part of the botnet. In this case,\r\nthe attackers try to verify if the official Sberbank (Russia's biggest bank) application is installed.\r\nFigure 9 - Check the presence of the Sberbank mobile application\r\nLastly, there are many APIs similarities used by both SOVA and Nexus to communicate with the C2 server, as\r\nconfirmed by sovenok.\r\nFigure 10 - sovenok accuses other TAs of stealing SOVA APIs\r\nTechnical Analysis: Main features and Commands\r\nNexus contains all the main features to perform Account Takeover attacks (ATO) against banking apps from all\r\nover the world and cryptocurrency services. In particular, it can:\r\nPerform Overlay attacks and keylogging activities to steal users' credentials.\r\nFigure 11 - Nexus overlay attack\r\nSteal SMS messages to obtain the two-factor authentication codes.\r\nThrough the abuse of the Accessibility Services, Nexus can steal some information from crypto wallets\r\n(such as seeds and balance), the 2FA codes of Google Authenticator app, and the cookies from specific\r\nwebsites.\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 5 of 12\n\nComparing the list of commands of two Nexus samples (one from August 2022 and one from March 2023), it is\r\npossible to note the addition of some new commands, such as the ability to remove received SMS and the\r\nfeature to activate or stop the 2FA stealer module.\r\nThe following evidence, in addition to some claims by the Nexus author concerning the possibility of adding a\r\nVNC module, underlines the desire to further improve the malware with new features.\r\nFigure 12 - New Nexus commands in recent samples\r\nUpdate Capacity\r\nNexus is also equipped with a mechanism for autonomous updating. A dedicated function asynchronously\r\nchecks against its C2 server for updates when the malware is running. More specifically, it performs a check\r\ntowards a dedicated endpoint asking for the last version; the query look like the following line:\r\nhttp(s)://C2_domain/lastversion?access=XXXXX\u0026key=XXXXXXXX\r\nIf the value sent back from the C2 does not correspond to the one installed on the device, the malware starts the\r\nupdate process.  Otherwise, it ignores the value and continues with all its routine activities. The update begins\r\nconcatenating the URL related to the C2 and a key that will be used as an authorization token.\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 6 of 12\n\nFigure 13 - Update APK routine\r\nAt the time of writing, the version available is related to the build 7.20.\r\nFigure 14 - Latest build version available\r\nAnalysts could use the “key” value to keep track of different custom versions of Nexus, it was possible to identify\r\na slightly modified version of the malware for each key. This suggests that more actors are renting customized\r\nsamples that aim to hit specific targets and countries.\r\nFigure 15 - Latest build version available\r\nRansomware module?\r\nAccording to the information retrieved from various samples, Nexus is equipped with encryption capabilities.\r\nHowever, this module seems to be under development due to the presence of debugging strings and the lack of\r\nusage references (especially within the C2 command list).\r\nHowever, we can’t exclude that this function is a “typo” associated with the cut-and-paste activities that seem to\r\ninvolve many parts of the code.\r\nFigure 16 - AES encryption routine (not in use)\r\nIt is reasonable to ask why this encryption paradigm has been implemented. An explanation could be found in an\r\nattempt of making it harder for the user to realize what happened. A similar approach, even more destructive, has\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 7 of 12\n\nbeen used by Brata, where TAs adopted the strategy of factory resetting the device right after an unauthorized wire\r\ntransfer attempt to reduce the evidence.    \r\nAccording to our experience, it’s also hard to think about a ransomware modus operandi on mobile devices since\r\nmost information stored is synced with cloud services and easily recoverable. In fact, as confirmed by sanovek it\r\nstarted to design a ransomware capability in SOVA, but it was pointless for a banking trojan on mobile devices.\r\nFigure 17 - SOVA author explains his initial goal of a ransomware module\r\nNoisy Logs\r\nAnother interesting characteristic of Nexus that strengthens the hypothesis of its development stage is the number\r\nof logging messages spread throughout the code. Those messages are intended to track all actions performed, and\r\nsome of them are paired with a debugging string that contains the message “plz report this accident”.\r\nFigure 18 - Logging strings\r\nLogging messages are not limited to local devices. In fact, it was possible to discover that most of the messages\r\nare also intended to be sent over the C2 communication channel. The message should follow this syntax:  [ botId :\r\nLog Message]. However, at the time of writing, due to the lack of references to the variable botID related to the\r\nlogging class, this capability still seems to be in the development phase.\r\nC2 web panel\r\nOnce Nexus is installed on a victim's device, it connects to its C2 server. This server is used by TAs to remotely\r\ncontrol the malware, issue commands, and receive stolen data.\r\nNexus provides a C2 web panel, which is an essential tool for cyber criminals who are using malware or a botnet\r\nto carry out attacks. It provides a centralized interface for managing the malware and the data it collects, making it\r\neasier for attackers to carry out their malicious activities.\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 8 of 12\n\nTypically Nexus C2 web panels expose the login page on the Internet through port 80 or 5000 as follows:\r\nFigure 19 - Management console: Home page\r\nThe string “Jojo no Kimyou na Bouken: Eyes of Heaven” references an action video game based on the “Jo Jo's\r\nBizarre Adventure” manga series by Hirohiko Araki, a Japanese manga artist.\r\nOnce logged in, the panel offers the following features:\r\nDashboard: displays the status of the botnet, including the number of infected devices, data collected, and\r\nany recent activity.\r\nBots: a detailed list of the infected devices, locations, and other metrics.\r\nData Collection: tools for collecting and analyzing data from infected devices. This includes login\r\ncredentials, cookies, credit card details, and other sensitive information.\r\nInjects: a comprehensive list of 450 banking application login pages for grabbing valid credentials.\r\nBuilder: interface for creating customized versions of Nexus, allowing TAs to customize various aspects,\r\nsuch as the command-and-control server (C\u0026C) address, the icon and name of the app, and more.\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 9 of 12\n\nFigure 20 - Dashboard with detailed botnet information\r\nFigure 21 - Details of exfiltrated data (known as “logs”)\r\nAs the alleged author claimed on multiple hacking forums, the complete list of injections has 450 different targets,\r\nwhich are searchable through the panel. They also offer the possibility to create custom injections.\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 10 of 12\n\nFigure 22 - Injection list\r\nPivoting C2 fingerprints through Internet search engines, such as Shodan, could provide excellent information,\r\nand in this case, it confirms that the growing trend began in the very first of 2023 when Nexus was officially\r\npromoted on multiple hacking forums:\r\nFigure 23 - C2 fingerprinting over time (source: Shodan Trends)\r\nConclusion\r\nNexus is an emerging malware that allegedly has taken more than a few “ideas” from SOVA (a threat that hit the\r\ninternational landscape in the last year). According to the similarities observed in the code, and the insights\r\nretrieved from underground forums, it is possible to confirm that Nexus represents a new malware, guided by an\r\nentirely new group, which was capable of retrieving parts of SOVA source code after they were stolen by an\r\nAndroid botnet operator called POISON.\r\nBy analyzing the latest retrieved samples, we can say that Nexus is still in an early stage of development, still\r\nincluding snippets of code that seem to belong to its ancestor.\r\nAs always, the main question here is: Does it represent a threat to Android users?\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 11 of 12\n\nAt the time of writing, the absence of a VNC module limits its action range and its capabilities; however,\r\naccording to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of\r\ninfecting hundreds of devices around the world. Because of that, we cannot exclude that it will be ready to take\r\nthe stage in the next few months.\r\nAppendix 1: IOCs\r\nIoC Description\r\nd4c6871dbd078685cb138a499113d280 MD5 of Nexus\r\n193.42.32.]87 C2\r\n193.42.32.]84 C2\r\nMeet the authors\r\nFrancesco Iubatti - Mobile Malware Analyst \u0026 Threat Intelligence Analyst.\r\nFederico Valentini - Head of Threat Intelligence and Incident Response.\r\nAlessandro Strino - Malware Analyst.\r\nSource: https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nhttps://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet"
	],
	"report_names": [
		"nexus-a-new-android-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e9df5878bbcac96d9280aeb7789e98313e08937.pdf",
		"text": "https://archive.orkl.eu/3e9df5878bbcac96d9280aeb7789e98313e08937.txt",
		"img": "https://archive.orkl.eu/3e9df5878bbcac96d9280aeb7789e98313e08937.jpg"
	}
}