Heads-Up: An Android Botnet Is Making The Rounds And Will Pilfer Your Banking Data

android malware 2
Google used to offer Nexus-branded Android phones, but now Nexus means mobile malware. Chatter about the Nexus banking botnet began appearing on hacking forums in January 2023, but security researchers from Cleafy now believe this Android malware's origins stretch back to the middle of 2022. It's already very capable and spreading around the world, and the researchers believe it's only going to get more dangerous.

Nexus is yet another example of Malware-as-a-Service (MaaS), which allows online criminals to rent access to malicious tools rather than designing them personally. Nexus costs $3,000 per month, but it comes with the ability to steal banking data that could net the operator much more than that.

The primary tools in Nexus as it currently exists are aimed at Account Takeover (ATO) attacks for banking and financial apps. Once installed on a device, the malware uses system overlays and keylogging to steal account info. Even accounts secured with two-factor codes are at risk—Nexus uses accessibility APIs to steal SMS codes, cryptocurrency wallet data, and codes from authenticator apps.

Cleafy has been monitoring hacking forums where the Nexus developers talk about the project. The creators reportedly demand that subscribers do not attempt to use Nexus in Russia or any Commonwealth of Independent States (CIS). They've even attempted to geo-lock the malware to prevent that. It probably pays to keep the designers happy—they've created a robust visual command and control web interface with a built-in list of injections against 450 financial applications, giving threat actors an easy way to monitor their attacks.

nexus malware
The Nexus web portal

The botnet includes a remote update system, allowing the designers to roll out new capabilities as they are developed. Cleafy says Nexus has already added commands since its soft launch in 2022, and it expects the malware suite to continue expanding as its creators have labeled the current version a "beta."

You can protect yourself by ensuring you have secured your online accounts with two-factor codes and, if possible, generate those codes on a dedicated device you know to be secure. Nexus has to get onto your smartphone before it can compromise your security, so be careful about installing apps from unknown sources, even if they look like apps you know.