# Nexus: The Latest Android Banking Trojan with SOVA Connections **[blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections](https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections)** ## Famous Banking Applications Now at Risk of Credential Theft March 9, 2023 Threat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their illicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a larger audience. Cyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information whenever a new strain of malware is discovered and advertised by TAs. CRIL recently discovered an advertisement on a Russian cybercrime forum for an Android banking trojan called Nexus, offered by a TA. According to the TA, the malware is a new project continuously developed and compatible with Android versions up to 13. The below figure shows the TAs advertisement on the cybercrime forum. ----- Figure 1 – TA’s Advertisement on the Cybercrime Forum In their advertisement, the TA also included a screenshot of the Nexus panel and a list of its target applications, as shown below. ----- Figure 2 – List of Applications Targeted by Nexus ----- Further investigations revealed that the Nexus malware was being distributed through phishing pages disguised as legitimate websites of YouTube Vanced. The phishing pages included sites such as youtubeadvanced[.]net and youtubevanvedadw[.]net, among others. After analyzing the Nexus samples obtained from the phishing pages, it was determined that the [malware’s code shares similarities with that of S.O.V.A banking trojan, which was first discovered in mid-](https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/) 2021 and specifically designed to target Android devices. This blog provides a detailed technical overview of the Nexus Android banking trojan. ## Technical Analysis APK Metadata Information App Name: Youtube Vanced Package Name: com.toss.soda SHA256 Hash: 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f The figure 3 shows the metadata information of an application. Figure 3 – App Metadata Information The figure below shows the application icon and name displayed on the Android device. ----- Figure 4 – App Icon and Name ## Manifest Description The malware requests users for 50 different permissions, which it abuses at least 14. These dangerous permissions are listed below. **Permissions** **Description** READ_SMS Access SMSs from the victim’s device. RECEIVE_SMS Intercept SMSs received on the victim’s device READ_CONTACTS Access phone contacts READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. SEND_SMS Allows an application to send SMS messages. ----- CALL_PHONE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. WRITE_EXTERNAL_STORAGE Allows the app to write or delete files in the device’s external storage DISABLE_KEYGUARD Allows the app to disable the keylock and any associated password security GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service. GET_TASKS Allows an application to retrieve information about currently and recently running tasks. READ_EXTERNAL_STORAGE Allows an application to read from external storage REQUEST_INSTALL_PACKAGES Malicious applications can use this to try and trick users into installing additional malicious packages. SYSTEM_ALERT_WINDOW Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone. WRITE_CONTACTS Allows an application to modify the contact (address) data stored on your phone We observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first screen, as shown in the figure below. Figure 5 – Launcher Activity Upon examining the Dex, we found that the components specified in the manifest file were absent. It suggests that the application has been packed. Figure 6 – Components Defined in Manifest are Missing in the Dex After being executed, the malware unpacks the IWGFPqP.json file from the assets section of the APK file. The unpacked file is then dropped in the application system folder containing the malicious code. ----- Figure 7 – Malware Drops Unpacked File ## Source Code Review The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the victim grants this permission, the malware exploits the service to automatically approve requested permissions, enable device administration, and initiate keylogging activities. The malware operates surreptitiously by establishing a connection to the Command and Control (C&C) server via the following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including Accessibility logs and a roster of installed applications to the C&C server as shown in the below figure. Figure 8 – Malware Sends Installed Applications List to the C&C Server Upon receiving the list of installed applications, the command and control (C&C) server verify it against the targeted list of banking applications. If a match is found, the C&C server sends an “enableinject” command, including the specific application’s package name, as shown in the code snippet below. ----- Figure 9 – Malware Received the Command from the C&C Server Based on the Target Application Upon receiving the “enableinject” command from the C&C server, the Nexus banking trojan on the victim’s device downloads the HTML injection code for the targeted application based on the package name received. The downloaded HTML injection code is essentially a phishing page for the specific banking application, which is launched in the WebView interface whenever the victim interacts with the targeted applications. By utilizing this injection technique, the TA can easily obtain the targeted banking application credentials. The below image shows the code of Nexus malware downloading HTML phishing pages. Figure 10 – Malware downloading Phishing HTML pages from C&C Server The table below depicts the package names of the banking applications that Nexus explicitly targets. tr.com.sekerbilisim.mbank finansbank.enpara com.ziraat.ziraatmobil com.ykb.android com.vakifbank.mobile com.tmobtech.halkbank com.teb ----- com.pttfinans com.pozitron.iscep com.mobillium.papara com.kuveytturk.mobil com.ingbanktr.ingmobil com.htsu.hsbepersonalbanking com.garanti.cepsubesi com.finansbank.mobile.cepsube com.denizbank mobildeniz com.akbank.android.apps.akbank_direkt app.wizink.es com.imaginbank.app com kutxabank.android com.cajasur.android com.bbva.bbvacontigo com.cajaingenieros.android.bancamovil com. fibabanka.mobile com.bancodebogota.bancamovil www. ingdirect.nativeframe com.bankinter.launcher com.rsi com.bbva.netcash es.bancosantander.apps es.evobanco.bancamovil com.tecnocom.cajalaboral com.grupocajamar.wefferent net.inverline.bancosabadell.officelocator.android es.ibercaja.ibercajaapp Banks es.lacaixa.mobile.android.newwapicon com.lynxspa.bancopopolare ----- com latuabancaperandroid com.app.ecobank com.paypal.android.p2pmobile The Nexus malware can acquire seed phrases from Trust and Exodus wallets and steal wallet balances by abusing the Accessibility service, as shown in the below code snippet. Figure 11 – Malware Extracts Balance and Seed Phrase of Crypto Wallets Like the SOVA v5 variant, the Nexus malware incorporates a ransomware module that encrypts files stored on the compromised device. The figure below illustrates this function. ----- Figure 12 – Ransomware Module in the Nexus Malware A PingTasks service has been registered by the malware, which is responsible for receiving commands from the C&C server and carrying out the respective operations. Figure 13 – Malware Receives Commands from the C&C Server Below, we have listed the commands used by the TAs to control infected devices: **Command** **Description** get2fa Extracting 2FA code from Google Authenticator start2faactivator Enables 2FA activator stop2faactivator Disables 2FA activator delbot Deactivate the device admin and uninstall the malware openurl Opens the URL received from the C&C server into the WebView ----- startlock Locks the screen stoplock Unlocks the screen getperm Starts device admin activation delapp Functionality not implemented, saving Boolean value into shared preference clearappdata Not Implemented startextraverbose Saving value in the shared preference variable to TRUE. stopextraverbose Saving value in the shared preference variable to FALSE. starthidenpush Hides push notifications stophidenpush Stops hiding push notifications starthidesms Hide SMSs stophidesms Stops hiding SMSs scancookie Insert package name to the cookie-stealing list stopcookie Removes package name from the cookie-stealing list scaninject Add injections to the “injects” list stopscan Remove injections from the “injects” list getsms Steal SMSs from an infected device clearsmslist Delete SMSs from an infected device startkeylogs Starts keylogging stopkeylogs Stops keylogging contactssender Send SMSs to the contacts present in an infected device sendsms Sends SMSs from an infected device openinject Downloads and start injection for targeted application getapps Collecting basic device information sendpush Shows push notification enableinject Receives the target app for injection runapp Run application based on server response forwardcall Forwards the call call Make the call disableinject Delete injections getcontacts Collects contact list from the infected device ----- startmute Mutes an infected device stopmute Unmutes an infected device gettrustwallet Steal the Trust wallet seed phrase and balance getexodus Steals Exodus wallet seed phrase and balance ## Conclusion In the past, TAs had created the fifth iteration of the S.O.V.A. Android banking trojan, which not only targeted the banking sector but also included a ransomware feature. Now, TAs are advertising a rebranded version of the S.O.V.A. malware called “Nexus” on cybercrime forums with an updated list of targeted banks. By exploiting accessibility services, the “Nexus” Android banking Trojan can now target 40 banking applications to steal user credentials. Cyble Research & Intelligence Labs continuously monitors campaigns. We will keep updating our readers with the latest information as and when we find it. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: ### How to prevent malware infection? Download and install software only from official app stores like Google Play Store or the iOS App Store. Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. Use strong passwords and enforce multi-factor authentication wherever possible. Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. Be wary of opening any links received via SMS or emails delivered to your phone. Ensure that Google Play Protect is enabled on Android devices. Be careful while enabling any permissions. Keep your devices, operating systems, and applications updated. ### How to identify whether you are infected? Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices. Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. ### What to do when you are infected? Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. Perform a factory reset. Remove the application in case a factory reset is not possible. ----- Take a backup of personal media Files (excluding mobile applications) and perform a device reset. ### What to do in case of any fraudulent transaction? In case of a fraudulent transaction, immediately report it to the concerned bank. ### What should banks do to protect their customers? Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) Deliver Malicious App via Other Means. **Initial Access** [T1444](https://attack.mitre.org/versions/v10/techniques/T1444/) Masquerade as a Legitimate Application **Discovery** [T1418](https://attack.mitre.org/versions/v10/techniques/T1418/) Application discovery **Credential Access** [T1411](https://attack.mitre.org/versions/v10/techniques/T1411/) Input Prompt **Impact** [T1582](https://attack.mitre.org/versions/v10/techniques/T1582/) SMS Control **Impact** [T1447](https://attack.mitre.org/techniques/T1447) Delete device data **Collection** [T1432](https://attack.mitre.org/techniques/T1432/) Access Contacts List **Collection** [T1412](https://attack.mitre.org/techniques/T1412/) Access SMS list **Defense Evasion** [T1418](https://attack.mitre.org/techniques/T1418/) Application Discovery **Command and Control** [T1436](https://attack.mitre.org/versions/v10/techniques/T1436/) Commonly Used Port **Exfiltration** [T1567](https://attack.mitre.org/techniques/T1567/) Exfiltration Over Web Service ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **Type** **Description** **3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f** SHA256 Nexus APK **1c99c658e30c672927dccbd8628107abf36d990d** SHA1 Nexus APK **d87e04db4f4a36df263ecbfe8a8605bd** MD5 Nexus APK **hxxp://5.161.97[.]57:5000** URL C&C URL -----