{
	"id": "e67174b5-3b64-43cd-8e55-c29d82339e59",
	"created_at": "2026-04-06T00:10:44.235367Z",
	"updated_at": "2026-04-10T03:21:51.756467Z",
	"deleted_at": null,
	"sha1_hash": "55a3142c604a191fa2eff9a3c8aec32fcce5e779",
	"title": "Nexus: New Android Banking Trojan Linked To SOVA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1461678,
	"plain_text": "Nexus: New Android Banking Trojan Linked To SOVA\r\nPublished: 2023-03-09 · Archived: 2026-04-05 16:14:57 UTC\r\nCyble analyzes Nexus Android banking Trojan linked to the infamous SOVA group, posing a significant threat to\r\nmobile banking users.\r\nFamous Banking Applications Now at Risk of Credential Theft\r\nThreat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their\r\nillicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a\r\nlarger audience.\r\nCyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information\r\nwhenever a new strain of malware is discovered and advertised by TAs.\r\nWorld's Best AI-Native Threat Intelligence\r\nCRIL recently discovered an advertisement on a Russian cybercrime forum for an Android banking trojan called\r\nNexus, offered by a TA. According to the TA, the malware is a new project continuously developed and\r\ncompatible with Android versions up to 13.\r\nThe below figure shows the TAs advertisement on the cybercrime forum.\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 1 of 15\n\nFigure 1 – TA’s Advertisement on the Cybercrime Forum\r\nIn their advertisement, the TA also included a screenshot of the Nexus panel and a list of its target applications, as\r\nshown below.\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 2 of 15\n\nFigure 2 – List of Applications Targeted by Nexus\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 3 of 15\n\nFurther investigations revealed that the Nexus malware was being distributed through phishing pages disguised as\r\nlegitimate websites of YouTube Vanced. The phishing pages included sites such as youtubeadvanced[.]net and\r\nyoutubevanvedadw[.]net, among others.\r\nAfter analyzing the Nexus samples obtained from the phishing pages, it was determined that the malware’s code\r\nshares similarities with that of S.O.V.A banking trojan, which was first discovered in mid-2021 and specifically\r\ndesigned to target Android devices. This blog provides a detailed technical overview of the Nexus Android\r\nbanking trojan.\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name:  Youtube Vanced\r\nPackage Name: com.toss.soda\r\nSHA256 Hash: 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f\r\nThe figure 3 shows the metadata information of an application.\r\nFigure 3 – App Metadata Information\r\nThe figure below shows the application icon and name displayed on the Android device.\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 4 of 15\n\nFigure 4 – App Icon and Name\r\nManifest Description\r\nThe malware requests users for 50 different permissions, which it abuses at least 14. These dangerous permissions\r\nare listed below.\r\nPermissions Description\r\nREAD_SMS Access SMSs from the victim’s device.\r\nRECEIVE_SMS Intercept SMSs received on the victim’s device\r\nREAD_CONTACTS Access phone contacts\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 5 of 15\n\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current\r\ncellular network information, the phone number and the\r\nserial number of the phone, the status of any ongoing\r\ncalls, and a list of any Phone Accounts registered on the\r\ndevice.\r\nSEND_SMS Allows an application to send SMS messages.\r\nCALL_PHONE\r\nAllows an application to initiate a phone call without\r\ngoing through the Dialer user interface for the user to\r\nconfirm the call.\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files in the device’s\r\nexternal storage\r\nDISABLE_KEYGUARD\r\nAllows the app to disable the keylock and any\r\nassociated password security\r\nGET_ACCOUNTS\r\nAllows access to the list of accounts in the Accounts\r\nService.\r\nGET_TASKS\r\nAllows an application to retrieve information about\r\ncurrently and recently running tasks.\r\nREAD_EXTERNAL_STORAGE Allows an application to read from external storage\r\nREQUEST_INSTALL_PACKAGES\r\nMalicious applications can use this to try and trick users\r\ninto installing additional malicious packages.\r\nSYSTEM_ALERT_WINDOW\r\nAllows an application to show system-alert windows.\r\nMalicious applications can take over the entire screen\r\nof the phone.\r\nWRITE_CONTACTS\r\nAllows an application to modify the contact (address)\r\ndata stored on your phone\r\nWe observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first\r\nscreen, as shown in the figure below.\r\nFigure 5 – Launcher Activity\r\nUpon examining the Dex, we found that the components specified in the manifest file were absent. It suggests that\r\nthe application has been packed. \r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 6 of 15\n\nFigure 6 – Components Defined in Manifest are Missing in the Dex\r\nAfter being executed, the malware unpacks the IWGFPqP.json file from the assets section of the APK file. The\r\nunpacked file is then dropped in the application system folder containing the malicious code.\r\nFigure 7 – Malware Drops Unpacked File\r\nSource Code Review\r\nThe malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the\r\nvictim grants this permission, the malware exploits the service to automatically approve requested permissions,\r\nenable device administration, and initiate keylogging activities.\r\nThe malware operates surreptitiously by establishing a connection to the Command and Control (C\u0026C) server via\r\nthe following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including\r\nAccessibility logs and a roster of installed applications to the C\u0026C server as shown in the below figure.\r\nFigure 8 – Malware Sends Installed Applications List to the C\u0026C Server\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 7 of 15\n\nUpon receiving the list of installed applications, the command and control (C\u0026C) server verify it against the\r\ntargeted list of banking applications. If a match is found, the C\u0026C server sends an “enableinject” command,\r\nincluding the specific application’s package name, as shown in the code snippet below.\r\nFigure 9 – Malware Received the Command from the C\u0026C Server Based on the Target Application\r\nUpon receiving the “enableinject” command from the C\u0026C server, the Nexus banking trojan on the victim’s\r\ndevice downloads the HTML injection code for the targeted application based on the package name received. The\r\ndownloaded HTML injection code is essentially a phishing page for the specific banking application, which is\r\nlaunched in the WebView interface whenever the victim interacts with the targeted applications. By utilizing this\r\ninjection technique, the TA can easily obtain the targeted banking application credentials.\r\nThe below image shows the code of Nexus malware downloading HTML phishing pages.\r\nFigure 10 – Malware downloading Phishing HTML pages from C\u0026C Server\r\nThe table below depicts the package names of the banking applications that Nexus explicitly targets.\r\ntr.com.sekerbilisim.mbank\r\nfinansbank.enpara\r\ncom.ziraat.ziraatmobil\r\ncom.ykb.android\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 8 of 15\n\ncom.vakifbank.mobile\r\ncom.tmobtech.halkbank\r\ncom.teb \r\ncom.pttfinans\r\ncom.pozitron.iscep\r\ncom.mobillium.papara\r\ncom.kuveytturk.mobil\r\ncom.ingbanktr.ingmobil\r\ncom.htsu.hsbepersonalbanking\r\ncom.garanti.cepsubesi\r\ncom.finansbank.mobile.cepsube\r\ncom.denizbank mobildeniz\r\ncom.akbank.android.apps.akbank_direkt\r\napp.wizink.es\r\ncom.imaginbank.app\r\ncom kutxabank.android\r\ncom.cajasur.android\r\ncom.bbva.bbvacontigo\r\ncom.cajaingenieros.android.bancamovil\r\ncom. fibabanka.mobile\r\ncom.bancodebogota.bancamovil\r\nwww. ingdirect.nativeframe\r\ncom.bankinter.launcher\r\ncom.rsi\r\ncom.bbva.netcash\r\nes.bancosantander.apps\r\nes.evobanco.bancamovil\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 9 of 15\n\ncom.tecnocom.cajalaboral\r\ncom.grupocajamar.wefferent\r\nnet.inverline.bancosabadell.officelocator.android\r\nes.ibercaja.ibercajaapp Banks\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.lynxspa.bancopopolare\r\ncom latuabancaperandroid\r\ncom.app.ecobank\r\ncom.paypal.android.p2pmobile\r\nThe Nexus malware can acquire seed phrases from Trust and Exodus wallets and steal wallet balances by abusing\r\nthe Accessibility service, as shown in the below code snippet.\r\nFigure 11 – Malware Extracts Balance and Seed Phrase of Crypto Wallets\r\nLike the SOVA v5 variant, the Nexus malware incorporates a ransomware module that encrypts files stored on the\r\ncompromised device.\r\nThe figure below illustrates this function.\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 10 of 15\n\nFigure 12 – Ransomware Module in the Nexus Malware\r\nA PingTasks service has been registered by the malware, which is responsible for receiving commands from the\r\nC\u0026C server and carrying out the respective operations.\r\nFigure 13 – Malware Receives Commands from the C\u0026C Server\r\nBelow, we have listed the commands used by the TAs to control infected devices:\r\nCommand Description\r\nget2fa Extracting 2FA code from Google Authenticator\r\nstart2faactivator Enables 2FA activator\r\nstop2faactivator Disables 2FA activator\r\ndelbot Deactivate the device admin and uninstall the malware\r\nopenurl Opens the URL received from the C\u0026C server into the WebView\r\nstartlock Locks the screen\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 11 of 15\n\nstoplock Unlocks the screen\r\ngetperm Starts device admin activation\r\ndelapp\r\nFunctionality not implemented, saving Boolean value into shared\r\npreference\r\nclearappdata Not Implemented\r\nstartextraverbose Saving value in the shared preference variable to TRUE.\r\nstopextraverbose Saving value in the shared preference variable to FALSE.\r\nstarthidenpush Hides push notifications\r\nstophidenpush Stops hiding push notifications\r\nstarthidesms Hide SMSs\r\nstophidesms Stops hiding SMSs\r\nscancookie Insert package name to the cookie-stealing list\r\nstopcookie Removes package name from the cookie-stealing list\r\nscaninject Add injections to the “injects” list\r\nstopscan Remove injections from the “injects” list\r\ngetsms Steal SMSs from an infected device\r\nclearsmslist Delete SMSs from an infected device\r\nstartkeylogs Starts keylogging\r\nstopkeylogs Stops keylogging\r\ncontactssender Send SMSs to the contacts present in an infected device\r\nsendsms Sends SMSs from an infected device\r\nopeninject Downloads and start injection for targeted application\r\ngetapps Collecting basic device information\r\nsendpush Shows push notification\r\nenableinject Receives the target app for injection\r\nrunapp Run application based on server response\r\nforwardcall Forwards the call\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 12 of 15\n\ncall Make the call\r\ndisableinject Delete injections\r\ngetcontacts Collects contact list from the infected device\r\nstartmute Mutes an infected device\r\nstopmute Unmutes an infected device\r\ngettrustwallet Steal the Trust wallet seed phrase and balance\r\ngetexodus Steals Exodus wallet seed phrase and balance\r\nConclusion\r\nIn the past, TAs had created the fifth iteration of the S.O.V.A. Android banking trojan, which not only targeted the\r\nbanking sector but also included a ransomware feature. Now, TAs are advertising a rebranded version of the\r\nS.O.V.A. malware called “Nexus” on cybercrime forums with an updated list of targeted banks. By exploiting\r\naccessibility services, the “Nexus” Android banking Trojan can now target 40 banking applications to steal user\r\ncredentials.\r\nCyble Research \u0026 Intelligence Labs continuously monitors campaigns. We will keep updating our readers with the\r\nlatest information as and when we find it.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 13 of 15\n\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat to do when you are infected?\r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMSs, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nDiscovery T1418 Application discovery\r\nCredential Access T1411 Input Prompt\r\nImpact T1582 SMS Control\r\nImpact T1447 Delete device data\r\nCollection T1432 Access Contacts List\r\nCollection T1412 Access SMS list\r\nDefense Evasion T1418 Application Discovery\r\nCommand and Control T1436 Commonly Used Port\r\nExfiltration T1567 Exfiltration Over Web Service\r\nIndicators of Compromise (IOCs)\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 14 of 15\n\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f SHA256 Nexus APK\r\n1c99c658e30c672927dccbd8628107abf36d990d SHA1 Nexus APK\r\nd87e04db4f4a36df263ecbfe8a8605bd MD5 Nexus APK\r\nhxxp://5.161.97[.]57:5000 URL C\u0026C URL\r\nSource: https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nhttps://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections"
	],
	"report_names": [
		"nexus-the-latest-android-banking-trojan-with-sova-connections"
	],
	"threat_actors": [],
	"ts_created_at": 1775434244,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55a3142c604a191fa2eff9a3c8aec32fcce5e779.pdf",
		"text": "https://archive.orkl.eu/55a3142c604a191fa2eff9a3c8aec32fcce5e779.txt",
		"img": "https://archive.orkl.eu/55a3142c604a191fa2eff9a3c8aec32fcce5e779.jpg"
	}
}