Malware is an unfortunate reality in the digital world we’ve built for ourselves. Since all of our devices run on code, bad actors can use malicious code to take over those devices, or install programs that steal information from them. However, some bad actors don’t write this code themselves. Rather, they pay others to lease out their malware, in what’s known as MaaS, or “malware as a service.” This latest Android malware is the most recent example we’ve seen, and it’s ugly.
As reported by TechRadar, the new botnet is dubbed Nexus, and first appeared on underground marketplaces in January of this year. Research from Cleafy, however, confirms the malware has been active since June 2022, and even contains similar code to another type of Android banking malware we saw in 2021. Since Nexus is MaaS, clients can pay $3,000 a month for Nexus access—a small price to pay for what the malware can give them.
Nexus is designed to scrape passwords from banking apps by keylogging (i.e., watching everything you type in order to discover your passwords), but that’s not even what makes it particularly dangerous. Even if those banking apps are protected with two-factor authentication, Nexus can bypass the security because it can take advantage of accessibility options that reveal SMS and Google Authenticator codes. It can even disable SMS-based 2FA once it steals the codes, making it extremely difficult for you to gain access to your account.
Once bad actors install Nexus onto your machine, the malware reports back to those actors through a C2 server, a technique that allows malicious users to maintain communications with malware after the initial installation. Because Nexus is a botnet, it works by connecting together many different infected devices on one network. Bad actors can monitor all the devices on their botnet, with easy access to the data they scrape from each.
Like the malware it is inspired by, Nexus is whitelisted from the Commonwealth of Independent States (CIS), including Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia. Anywhere else, though, Nexus is allowed to thrive.
How does Nexus end up on your Android device?
According to Android Police, Nexus is “disguised as a legitimate app packing a malicious trojan on shady third-party Android app stores,” but there doesn’t seem to be any specific programs identified at this time containing the malware. That’s an issue, because it means we don’t know which program to avoid going forward.
Until more details about Nexus emerge, you’ll need to employ some best practices to avoid the malware, as well as other malware out in the ether. Unfortunately, that means avoiding apps from third-party market places unless you can 100% verify their safety. While a huge advantage to Android is the ability to sideload apps not found on the Play Store, malicious users take advantage of the practice to lace apps with malware. Be careful.
Of course, there are plenty of examples of malicious apps finding their way to the Play Store, as well. When choosing a new app to download, always comb through the listing with care, looking for anything out of the ordinary. Does the app’s description match its title, or screenshots? Is the copy written well, or is it riddled with errors? Check the reviews: Do users have genuine positive thoughts towards the app, or do they have complaints, like pop-up ads and false advertising?