{
	"id": "6ccfe7a0-2e59-4a1b-9073-e9aa588f20ad",
	"created_at": "2026-04-06T00:07:50.248095Z",
	"updated_at": "2026-04-10T03:21:47.980777Z",
	"deleted_at": null,
	"sha1_hash": "e70fcd366bf98569faaf98746627fbbaf5ad9ba6",
	"title": "Nexus Android Trojan Analysis Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91132,
	"plain_text": "Nexus Android Trojan Analysis Report\r\nArchived: 2026-04-05 18:34:02 UTC\r\nOverview\r\nOn the evening of March 21, 2023, a novel Android Trojan was detected by the monitoring system jointly\r\ndeveloped by LianSecurity and Zhongrui Tianxia. After capturing samples through the RuiShi sandbox system, it\r\nwas determined that this Android Trojan is highly likely to be a variant of the original Android banking Trojan,\r\nSOVA. Concurrently, the Italian security company Cleafy published a report titled \"Nexus: A New Android\r\nBotnet?\", confirming that the virus is indeed a variant of SOVA and renaming it as Nexus.\r\nSample Analysis\r\nSample Name: Chrome.apk\r\nSample SHA256: 376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4\r\nSample File Size: 4,792,032 KB\r\nMain Behavior List\r\nDelete specified applications and their data\r\nInstall and launch arbitrary applications\r\nHide its own app icon\r\nUninstall protection\r\nUpload user SMS data and contact list\r\nUse SmsManager to send, delete, and cancel SMS notifications\r\nMake phone calls\r\nRetrieve and upload user cookie information, inject cookies, etc.\r\nRead and upload digital wallet information\r\nRecord and upload keyboard input logs\r\nQuery sensitive mobile data (such as stored emails, app account data, IMSI, and other phone information)\r\nSet device to silent mode\r\nUnlock screen\r\nAccess specified URLs\r\nAttempt to disable administrator user\r\nEnable accessibility features\r\nMonitor phone reboot events\r\nUse DownloadManager to download files\r\nInstallation Test\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 1 of 8\n\nUpon the Trojan's installation, a Chrome browser-like icon appears on the main screen of the mobile device, with\r\nslight differences from the actual Chrome icon. The Trojan's icon is smaller, but it is challenging to recognize this\r\ndifference without a side-by-side comparison.\r\nOnce the Trojan is launched, the interface prompts the user to enable \"Accessibility Features.\" When the user\r\nclicks anywhere on the interface, it automatically redirects to the system's \"Accessibility Features\" settings and\r\nenables this feature.\r\nAfter enabling the \"Accessibility Features,\" the program automatically pops up and requests to obtain \"Device\r\nAdministrator Privileges.\"\r\nOnce the malicious app gains device administrator privileges, it continuously collects user information in the\r\nbackground, making it difficult for users to detect its presence. Once the device administrator privileges are\r\ngranted, users attempting to access the device administrator settings interface will find it quickly closes, making it\r\nimpossible to revoke the permissions. Similarly, when performing operations through adb, the same issue occurs,\r\nand the interface instantly closes. This is because the malicious app has already monitored the opening action of\r\nthe device administrator settings interface, preventing users from revoking its privileges. As a result, users need to\r\nenable root access to successfully uninstall this malicious app.\r\nadb shell am start -S \"com.android.settings/.Settings\\$DeviceAdminSettingsActivity\"\r\nIn-depth Sample Analysis\r\nBasic Information\r\nBefore manually analyzing with Incinerator, through the \"Basic Analysis\" module, we discovered that the sample\r\nprogram has an encrypted shell. This implies that the malicious app's developer used an encryption method to\r\nprotect their code, preventing analysis and reverse engineering. Simultaneously, we noticed that the signature\r\ninformation used \"CN=Android Debug,\" which is inconsistent with a regular Chrome certificate. This might\r\nsuggest that the malicious app's developer is attempting to disguise as a normal Chrome app, making it easier to\r\ndeceive users and gain their trust.\r\nThanks to Incinerator's Apk permission analysis capabilities, we can obtain the corresponding permissions list in\r\nthe Apk's detailed information.\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 2 of 8\n\nIn the app's permissions list, 13 of the permissions obtained by the sample are classified as \"dangerous.\" Among\r\nthem, a few permissions are particularly hazardous:\r\nSend SMS (SEND_SMS)\r\nRead SMS (READ_SMS)\r\nReceive SMS (RECEIVE_SMS)\r\nRead contacts (READ_CONTACTS)\r\nWrite contacts (WRITE_CONTACTS)\r\nRead phone numbers (READ_PHONE_NUMBER)\r\nTypically, common apps do not request permissions involving sensitive operations, such as modifying the contact\r\nlist, reading, and sending text messages. These permissions are usually reserved for specialized communication\r\nsoftware. However, when a malicious app obtains accessibility permissions, it can leverage this feature to\r\nautomatically enable other permissions, including those that pose potential threats to user privacy and security.\r\nAccessibility is a powerful feature within the Android system designed to help users with special needs better\r\nutilize their devices. However, this feature can also be abused by malicious apps to perform operations beyond\r\nuser control. Once a malicious app obtains accessibility permissions, it can execute various operations without the\r\nuser's knowledge, such as enabling other sensitive permissions, leading to user data theft and privacy invasion.\r\nTherefore, users should be cautious when granting accessibility permissions and avoid granting them to untrusted\r\napps.\r\nThe list of permissions enabled through accessibility in the code is as follows:\r\nandroid.permission.READ_SMS: Allows the app to read SMS messages\r\nandroid.permission.SEND_SMS: Allows the app to send SMS messages\r\nandroid.permission.RECEIVE_SMS: Allows the app to receive SMS messages\r\nandroid.permission.READ_CONTACTS: Allows the app to read the contact list\r\nandroid.permission.WRITE_CONTACTS: Allows the app to edit the contact list\r\nandroid.permission.READ_PHONE_STATE: Allows the app to read the device's phone state and identity\r\ninformation\r\nandroid.permission.WRITE_EXTERNAL_STORAGE: Allows the app to write to external storage, such as\r\nan SD card\r\nandroid.permission.MODIFY_AUDIO_SETTINGS: Allows the app to modify audio settings\r\nandroid.permission.READ_EXTERNAL_STORAGE: Allows the app to read external storage, such as an\r\nSD card\r\nandroid.permission.INSTALL_PACKAGES: Allows the app to install other applications\r\nandroid.permission.CALL_PHONE: Allows the app to make phone calls\r\nandroid.permission.GET_ACCOUNTS: Allows the app to access the device's account list\r\nandroid.permission.READ_PHONE_NUMBERS: Allows the app to read the device's phone numbers\r\nandroid.permission.CLEAR_APP_CACHE: Allows the app to clear all cache files\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 3 of 8\n\nAs shown in the images above, the app first hardcodes the list of permissions to be enabled through accessibility\r\nand then requests these permissions from the system. In the PermissionsTask phase, the app listens for permission\r\nrequest actions. Once a permission request is detected, the app automatically clicks the \"Agree\" button on the\r\npermission request interface using accessibility.\r\nStatic Code Analysis\r\nAfter using the Incinerator tool to automatically unpack the sample and analyze the malicious behavior code, we\r\ndiscovered the following main features:\r\n1. Delete specified apps and their app data\r\nThe malicious app has the capability to delete other apps and their data, potentially affecting users' normal use of\r\ntheir phones and applications.\r\nThe clearApp method indeed deletes cache data related to a specific app package by executing the pm clear\r\npackage command, including image cache, temporary files, and database cache. This helps clean up junk files on\r\nthe device and frees up storage space. The deleteThisApp method uninstalls the app by triggering\r\nthe android.intent.action.DELETE intent. When the system receives this intent, an uninstall confirmation\r\ninterface pops up. Typically, the user needs to manually click the \"Agree\" button on this interface to complete the\r\nuninstall. However, since this malicious app has accessibility permissions, it can automatically click the \"Agree\"\r\nbutton when the uninstall confirmation interface appears, thus completing the uninstall operation without the\r\nuser's knowledge. This approach further enhances the malicious app's stealth and destructiveness.\r\n2. Install and launch arbitrary apps\r\nThe malicious app can install and launch other apps, potentially further spreading malware or directing users to\r\nmalicious websites.\r\nThe installation and uninstallation of apps are indeed achieved through accessibility. This approach can\r\nconveniently automate the app installation and uninstallation process for users. The only difference is that to\r\nimplement this feature, the malicious app needs to adapt to different manufacturers' package names and\r\ninstallation Activity names.\r\nAs a result, the malicious app can successfully execute installation and uninstallation operations on various\r\ndevices, thus more covertly implementing its malicious behavior. This strategy grants the malicious app a broader\r\nattack capability on various devices.\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 4 of 8\n\n3. Hide its app icon\r\nTo make it difficult to be discovered and uninstalled, the malicious app hides its app icon.\r\nIn this malicious app, the developer uses the setComponentEnabledSetting method to disable the Launcher\r\nActivity. As a result, users cannot operate or access the malicious app through the app icon (Launcher Icon) on the\r\ndevice's main screen. The setComponentEnabledSetting method can be used to enable or disable app\r\ncomponents, such as Activity, Service, BroadcastReceiver, etc. In this case, the malicious app achieves the\r\npurpose of hiding itself by disabling Launcher Activity, making it harder for users to detect its presence. This\r\napproach further enhances the stealth of the malicious app, making it more difficult to be discovered and removed.\r\n4. Upload sensitive information such as phone contacts\r\nThe malicious app can steal and upload user contacts, text messages, cookies, etc., potentially leading to user\r\nprivacy leaks and financial loss.\r\nAs shown in the images above, the malicious app first accesses text message content through content://sms, then\r\nprocesses it through a series of business logic and integrates it into the data of a network request. In addition to the\r\ntext message data, this request also contains information such as SIM card information, victim device's IP address,\r\ncountry, city, and device model. Finally, this data is sent to a specified server.\r\nThrough this method, the malicious app can steal user text messages and device information and send this data to\r\nthe attacker. Attackers can use this information for various illegal activities, such as fraud, privacy theft, or even\r\nidentity theft.\r\n5. Use SmsManager to send text messages, delete text messages, cancel text message notifications,\r\nread text messages\r\n5.1 Upload text messages\r\nAccording to the above description, the malicious app listens for the system broadcast when a text message is\r\nreceived, extracts the received text message content from the broadcast, and then sends each text message to a\r\nremote server. After completing this process, the app also terminates the received text message broadcast to avoid\r\nbeing discovered by users or other applications. In the second image, super.execute refers to sending the collected\r\ntext message data to the remote server.\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 5 of 8\n\nThis behavior indicates that the malicious app has taken a more aggressive approach to stealing user text\r\nmessages. Users need to strengthen their awareness of such applications to avoid adverse effects on their privacy\r\nand security.\r\n5.2 Send text messages\r\nThe app calls the system's SmsManager to send text messages.\r\n6. Obtain user cookie information and upload, inject cookies, etc.’\r\nAs shown in the image above, read all cookies, upload them to the remote server, and use CookieManager to\r\ndelete local cookies.\r\n7. Read and upload digital wallet information\r\n7.1 Read balance\r\nUsing accessibility features, read the character content displayed by the View representing the balance, which is\r\nthe user's wallet balance.\r\n7.2 Read seed phrase\r\nUsing accessibility features, read the content from the View representing the seed phrase.\r\n7.3 Upload to server\r\nSend encrypted wallet information to the remote server.\r\n8. Record and upload keyboard input records\r\nIn the two images above, the first one listens to keyboard input and extracts data through accessibility features,\r\nwhile the second one uploads this data to the remote server.\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 6 of 8\n\n9. Query sensitive information on mobile data (query stored email and app account data, IMSI,\r\nand other mobile information)\r\nUse AccountManager to obtain account information and upload it to the remote server.\r\n10. Mute the phone\r\nUsing the audio system server, set the phone to silent mode.\r\n11. Listen for phone restart events\r\nListen for phone restart events, and the malicious app begins to work after the phone restarts.\r\n12. Use DownloadManager to download APK and install\r\nDownload the APK and proceed with the installation.\r\n13. Take photos, record videos\r\n14. Read other documents\r\n15. Network requests\r\nAll logs in the code are uploaded, and the server address for uploading comes from an \"encrypted\" string\r\nBased on \"aHR0cDovLzE5My40Mi4zMi44Ny8=\" being a Base64 encoded string. After decoding, we obtained\r\nthe URL \"http://193.42.32.87/\", which is a server address for receiving collected data. However, this URL cannot\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 7 of 8\n\nbe accessed in mainland China. Therefore, even if domestic users install this malicious app, their data will not be\r\ncollected because the data cannot be successfully sent to the server. Additionally, the URLs \"http://ip-api.com/json\" and \"https://icanhazip.com\" identified by the URL string scanner cannot be accessed due to the\r\nGFW.\r\nConclusion\r\nOverall, the main purpose of this malicious app is to steal user privacy and conduct fine-grained processing on the\r\nrelated privacy data. During the analysis process, a large number of special treatments for Chinese mobile phone\r\nmanufacturers such as Huawei, Xiaomi, and OPPO were discovered, suggesting that this malicious app may\r\nprimarily target Chinese users. To hide its malicious behavior, the app uses a simple encryption shell to conceal\r\ncritical code. This approach is not common in overseas malicious apps. Considering the types of data stolen, this\r\nmalicious app is highly harmful because it steals very sensitive information such as text messages, encrypted\r\nwallets, and cookies, which could impact user's financial security. In terms of technical means, the malicious app\r\nmainly utilizes Android's accessibility features and device administrator permissions. This method is relatively\r\ncommon in malicious apps. Users need to be vigilant and guard against the threats posed by such applications to\r\ntheir privacy and security.\r\nIOC Indicators\r\nSHA256: 376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4\r\n724a56172f40177da76242ee169ac336b63d5df85889368d1531f593b658606b\r\nf3fc80a8793e60a901da44b9ab315931699e64a4f3eddb8aba839fe860de46dc\r\nec5b083c017570f846f6925b7c79d9e5886525a9b7ba7e514dabad0325c0af5e\r\nC2Server：\r\n193.42.32.87\r\n85.31.45.101\r\nSource: https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nhttps://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail"
	],
	"report_names": [
		"detail"
	],
	"threat_actors": [],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e70fcd366bf98569faaf98746627fbbaf5ad9ba6.pdf",
		"text": "https://archive.orkl.eu/e70fcd366bf98569faaf98746627fbbaf5ad9ba6.txt",
		"img": "https://archive.orkl.eu/e70fcd366bf98569faaf98746627fbbaf5ad9ba6.jpg"
	}
}