Nexus: New Android Banking Trojan Linked To SOVA
Published: 2023-03-09 · Archived: 2026-04-05 16:14:57 UTC
Cyble analyzes Nexus Android banking Trojan linked to the infamous SOVA group, posing a significant threat to
mobile banking users.
Famous Banking Applications Now at Risk of Credential Theft
Threat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their
illicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a
larger audience.
Cyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information
whenever a new strain of malware is discovered and advertised by TAs.
World's Best AI-Native Threat Intelligence
CRIL recently discovered an advertisement on a Russian cybercrime forum for an Android banking trojan called
Nexus, offered by a TA. According to the TA, the malware is a new project continuously developed and
compatible with Android versions up to 13.
The below figure shows the TAs advertisement on the cybercrime forum.
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 1 of 15

Figure 1 – TA’s Advertisement on the Cybercrime Forum
In their advertisement, the TA also included a screenshot of the Nexus panel and a list of its target applications, as
shown below.
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 2 of 15

Figure 2 – List of Applications Targeted by Nexus
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 3 of 15

Further investigations revealed that the Nexus malware was being distributed through phishing pages disguised as
legitimate websites of YouTube Vanced. The phishing pages included sites such as youtubeadvanced[.]net and
youtubevanvedadw[.]net, among others.
After analyzing the Nexus samples obtained from the phishing pages, it was determined that the malware’s code
shares similarities with that of S.O.V.A banking trojan, which was first discovered in mid-2021 and specifically
designed to target Android devices. This blog provides a detailed technical overview of the Nexus Android
banking trojan.
Technical Analysis
APK Metadata Information
App Name:  Youtube Vanced
Package Name: com.toss.soda
SHA256 Hash: 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f
The figure 3 shows the metadata information of an application.
Figure 3 – App Metadata Information
The figure below shows the application icon and name displayed on the Android device.
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 4 of 15

Figure 4 – App Icon and Name
Manifest Description
The malware requests users for 50 different permissions, which it abuses at least 14. These dangerous permissions
are listed below.
Permissions Description
READ_SMS Access SMSs from the victim’s device.
RECEIVE_SMS Intercept SMSs received on the victim’s device
READ_CONTACTS Access phone contacts
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 5 of 15

READ_PHONE_STATE
Allows access to phone state, including the current
cellular network information, the phone number and the
serial number of the phone, the status of any ongoing
calls, and a list of any Phone Accounts registered on the
device.
SEND_SMS Allows an application to send SMS messages.
CALL_PHONE
Allows an application to initiate a phone call without
going through the Dialer user interface for the user to
confirm the call.
WRITE_EXTERNAL_STORAGE
Allows the app to write or delete files in the device’s
external storage
DISABLE_KEYGUARD
Allows the app to disable the keylock and any
associated password security
GET_ACCOUNTS
Allows access to the list of accounts in the Accounts
Service.
GET_TASKS
Allows an application to retrieve information about
currently and recently running tasks.
READ_EXTERNAL_STORAGE Allows an application to read from external storage
REQUEST_INSTALL_PACKAGES
Malicious applications can use this to try and trick users
into installing additional malicious packages.
SYSTEM_ALERT_WINDOW
Allows an application to show system-alert windows.
Malicious applications can take over the entire screen
of the phone.
WRITE_CONTACTS
Allows an application to modify the contact (address)
data stored on your phone
We observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first
screen, as shown in the figure below.
Figure 5 – Launcher Activity
Upon examining the Dex, we found that the components specified in the manifest file were absent. It suggests that
the application has been packed. 
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 6 of 15

Figure 6 – Components Defined in Manifest are Missing in the Dex
After being executed, the malware unpacks the IWGFPqP.json file from the assets section of the APK file. The
unpacked file is then dropped in the application system folder containing the malicious code.
Figure 7 – Malware Drops Unpacked File
Source Code Review
The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the
victim grants this permission, the malware exploits the service to automatically approve requested permissions,
enable device administration, and initiate keylogging activities.
The malware operates surreptitiously by establishing a connection to the Command and Control (C&C) server via
the following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including
Accessibility logs and a roster of installed applications to the C&C server as shown in the below figure.
Figure 8 – Malware Sends Installed Applications List to the C&C Server
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 7 of 15

Upon receiving the list of installed applications, the command and control (C&C) server verify it against the
targeted list of banking applications. If a match is found, the C&C server sends an “enableinject” command,
including the specific application’s package name, as shown in the code snippet below.
Figure 9 – Malware Received the Command from the C&C Server Based on the Target Application
Upon receiving the “enableinject” command from the C&C server, the Nexus banking trojan on the victim’s
device downloads the HTML injection code for the targeted application based on the package name received. The
downloaded HTML injection code is essentially a phishing page for the specific banking application, which is
launched in the WebView interface whenever the victim interacts with the targeted applications. By utilizing this
injection technique, the TA can easily obtain the targeted banking application credentials.
The below image shows the code of Nexus malware downloading HTML phishing pages.
Figure 10 – Malware downloading Phishing HTML pages from C&C Server
The table below depicts the package names of the banking applications that Nexus explicitly targets.
tr.com.sekerbilisim.mbank
finansbank.enpara
com.ziraat.ziraatmobil
com.ykb.android
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 8 of 15

com.vakifbank.mobile
com.tmobtech.halkbank
com.teb 
com.pttfinans
com.pozitron.iscep
com.mobillium.papara
com.kuveytturk.mobil
com.ingbanktr.ingmobil
com.htsu.hsbepersonalbanking
com.garanti.cepsubesi
com.finansbank.mobile.cepsube
com.denizbank mobildeniz
com.akbank.android.apps.akbank_direkt
app.wizink.es
com.imaginbank.app
com kutxabank.android
com.cajasur.android
com.bbva.bbvacontigo
com.cajaingenieros.android.bancamovil
com. fibabanka.mobile
com.bancodebogota.bancamovil
www. ingdirect.nativeframe
com.bankinter.launcher
com.rsi
com.bbva.netcash
es.bancosantander.apps
es.evobanco.bancamovil
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 9 of 15

com.tecnocom.cajalaboral
com.grupocajamar.wefferent
net.inverline.bancosabadell.officelocator.android
es.ibercaja.ibercajaapp Banks
es.lacaixa.mobile.android.newwapicon
com.lynxspa.bancopopolare
com latuabancaperandroid
com.app.ecobank
com.paypal.android.p2pmobile
The Nexus malware can acquire seed phrases from Trust and Exodus wallets and steal wallet balances by abusing
the Accessibility service, as shown in the below code snippet.
Figure 11 – Malware Extracts Balance and Seed Phrase of Crypto Wallets
Like the SOVA v5 variant, the Nexus malware incorporates a ransomware module that encrypts files stored on the
compromised device.
The figure below illustrates this function.
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 10 of 15

Figure 12 – Ransomware Module in the Nexus Malware
A PingTasks service has been registered by the malware, which is responsible for receiving commands from the
C&C server and carrying out the respective operations.
Figure 13 – Malware Receives Commands from the C&C Server
Below, we have listed the commands used by the TAs to control infected devices:
Command Description
get2fa Extracting 2FA code from Google Authenticator
start2faactivator Enables 2FA activator
stop2faactivator Disables 2FA activator
delbot Deactivate the device admin and uninstall the malware
openurl Opens the URL received from the C&C server into the WebView
startlock Locks the screen
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 11 of 15

stoplock Unlocks the screen
getperm Starts device admin activation
delapp
Functionality not implemented, saving Boolean value into shared
preference
clearappdata Not Implemented
startextraverbose Saving value in the shared preference variable to TRUE.
stopextraverbose Saving value in the shared preference variable to FALSE.
starthidenpush Hides push notifications
stophidenpush Stops hiding push notifications
starthidesms Hide SMSs
stophidesms Stops hiding SMSs
scancookie Insert package name to the cookie-stealing list
stopcookie Removes package name from the cookie-stealing list
scaninject Add injections to the “injects” list
stopscan Remove injections from the “injects” list
getsms Steal SMSs from an infected device
clearsmslist Delete SMSs from an infected device
startkeylogs Starts keylogging
stopkeylogs Stops keylogging
contactssender Send SMSs to the contacts present in an infected device
sendsms Sends SMSs from an infected device
openinject Downloads and start injection for targeted application
getapps Collecting basic device information
sendpush Shows push notification
enableinject Receives the target app for injection
runapp Run application based on server response
forwardcall Forwards the call
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 12 of 15

call Make the call
disableinject Delete injections
getcontacts Collects contact list from the infected device
startmute Mutes an infected device
stopmute Unmutes an infected device
gettrustwallet Steal the Trust wallet seed phrase and balance
getexodus Steals Exodus wallet seed phrase and balance
Conclusion
In the past, TAs had created the fifth iteration of the S.O.V.A. Android banking trojan, which not only targeted the
banking sector but also included a ransomware feature. Now, TAs are advertising a rebranded version of the
S.O.V.A. malware called “Nexus” on cybercrime forums with an updated list of targeted banks. By exploiting
accessibility services, the “Nexus” Android banking Trojan can now target 40 banking applications to steal user
credentials.
Cyble Research & Intelligence Labs continuously monitors campaigns. We will keep updating our readers with the
latest information as and when we find it.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow the best practices given below:  
How to prevent malware infection?
Download and install software only from official app stores like Google Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs,
laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device
where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 13 of 15

Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile
Data.
Perform a factory reset.
Remove the application in case a factory reset is not possible.
Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
Banks and other financial entities should educate customers on safeguarding themselves from malware
attacks via telephone, SMSs, or emails. 
MITRE ATT&CK® Techniques
Tactic Technique ID Technique Name
Initial Access T1476 Deliver Malicious App via Other Means.
Initial Access T1444 Masquerade as a Legitimate Application
Discovery T1418 Application discovery
Credential Access T1411 Input Prompt
Impact T1582 SMS Control
Impact T1447 Delete device data
Collection T1432 Access Contacts List
Collection T1412 Access SMS list
Defense Evasion T1418 Application Discovery
Command and Control T1436 Commonly Used Port
Exfiltration T1567 Exfiltration Over Web Service
Indicators of Compromise (IOCs)
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 14 of 15

Indicators
Indicator
Type
Description
3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f SHA256 Nexus APK
1c99c658e30c672927dccbd8628107abf36d990d SHA1 Nexus APK
d87e04db4f4a36df263ecbfe8a8605bd MD5 Nexus APK
hxxp://5.161.97[.]57:5000 URL C&C URL
Source: https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
Page 15 of 15