Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Nexus, an emerging Android banking Trojan targets 450 financial apps

Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications. Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications. The Nexus ransomware was first analyzed in early March by researchers from the […]

Nexus

Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications.

Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications.

The Nexus ransomware was first analyzed in early March by researchers from the threat intelligence firm Cyble.

Nexus is available via a Malware-as-a-Service (MaaS) subscription and is advertised on underground forums or through private channels (e.g., Telegram) since January 2023.

It was available for rent at a price of $3000 per month.

Nexus

However, Cleafy’s Threat Intelligence & Response Team reported having detected the first Nexus infections in June 2022, months before the MaaS was publicly advertised.

Experts believe that the Nexus Trojan is early stages of development despite multiple campaigns are actively using it in the wild.

“Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception. It also provides a built-in list of injections against 450 financial applications.” reads the analysis published by Cleafy.

The authors claim that Nexus has been entirely written from scratch, but the researchers found similarities between Nexus and the SOVA banking trojan, which appeared on the threat landscape in August 2021.

Like other malware, Nexus doesn’t infect systems located in Russia and CIS countries.

The Nexus Trojan can target multiple banking and cryptocurrency in an attempt to take over customers’ accounts. It relies on overlay attacks and keylogging features to capture customers’ credentials.

The malware also supports features to bypass two-factor authentication (2FA) using both SMSs or the Google Authenticator app by abusing of Android’s accessibility services.

The Android Trojan also supports a mechanism for auto-update.

The analysis of various samples revealed that the malware is equipped with encryption capabilities which appear to be under development due to the presence of debugging strings and the lack of usage references.

“As always, the main question here is: Does it represent a threat to Android users? At the time of writing, the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.” concludes the report. “Because of that, we cannot exclude that it will be ready to take the stage in the next few months.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)