The developer of the Android botnet is rending out Nexus through a Malware-as-a-Service (MaaS) subscription for $3000 per month.
A recent detailed technical analysis by Cleafy security researchers warns users about a new Android banking botnet called Nexus that was introduced by an individual on various underground hacking forums in January 2023.
The malware developer claimed that Nexus was entirely coded from scratch and that it could be rented out through a Malware-as-a-Service (MaaS) subscription for $3000 per month.
MaaS is a business model employed by cybercriminals to rent or sell their malware to other parties, particularly those who lack the technical knowledge to develop their own malware. This model is widely used in the distribution of Android banking trojans, as malware authors leverage MaaS platforms to reach a broader audience.
Nexus is a banking Trojan that primarily targets banking applications installed on Android devices. Nexus contains all the main features to perform Account Takeover attacks (ATO) against banking apps from all over the world and cryptocurrency services.
It can perform overlay attacks, keylogging activities, and steal SMS messages to obtain two-factor authentication codes. Through the abuse of the Accessibility Services, Nexus can steal some information from crypto wallets, the 2FA codes of the Google Authenticator app, and the cookies from specific websites.
Nexus is also equipped with a mechanism for autonomous updating. It asynchronously checks against its C2 server for updates when the malware is running. If the value sent back from the C2 does not correspond to the one installed on the device, the malware starts the update process. Otherwise, it ignores the value and continues with all its routine activities.
The malware is distributed through a MaaS platform called “Nexus Botnet,” which allows attackers to customize and distribute the malware as per their needs. The platform offers various features, including control panel access, auto-update, and anti-analysis techniques, making it harder for security researchers to detect and mitigate the threat.
Despite its authors claiming that the source code was written entirely from scratch, some code similarity with SOVA, an Android banking trojan that emerged in mid-2021, suggests that they may have reused some parts of its internals.