Nexus Android trojan targets 450 financial apps and takes over bank accounts

banking trojan on phone illustration
(Image credit: Shutterstock)

Cybercriminals are now using a new Android banking trojan capable of targeting 450 different banking and financial apps.

While the Nexus banking trojan may still be in the early development stage, a new report from the Italian cybersecurity firm Cleafy has highlighted the serious threat it poses to Android smartphone users.

If one of the best Android phones is infected with Nexus, cybercriminals can use the banking trojan’s capabilities to perform account takeovers, as it not only steals passwords from banking apps but can also intercept both two-factor authentication (2FA) codes sent via text and even codes from Google Authenticator. Like other similar malware, it does this by abusing Android’s accessibility services.

In a blog post from the threat intelligence firm Cyble released earlier this month, its security researchers detailed how Nexus is being distributed through phishing pages disguised as legitimate websites of YouTube Vanced, which is a modified third-party version of the popular online video platform.

Even though it’s still in its early days, Nexus is a banking trojan to keep an eye on as it already has pretty impressive abilities and will likely only improve further as development on it continues.



(Image credit: solarseven/Shutterstock)

The Nexus banking trojan was first discovered in an advertisement on a Russian cybercrime forum which explained that it is a new project which is compatible with Android versions up to Android 13.

Just like with other banking trojans, it’s being distributed using a Malware-as-a-Service model where hackers pay other hackers for access to the malware. However, as The Hacker News points out, its creators have included explicit rules that prevent it from being used in the following countries: Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

The way in which Nexus is able to steal and drain the bank accounts of victims is by performing overlay attacks. For those unfamiliar, these kinds of attacks involve putting an overlay or a fake version on top of a legitimate banking app. Victims go to login to their accounts as they normally do but the overlay captures their username and password. Likewise, Nexus also includes a keylogger to steal any passwords a user may type in or autofill on their phone.

In the latest version of Nexus, the banking trojan can now erase text messages received on an infected device, stop its 2FA stealer module and periodically update itself by pinging a cybercriminal-controlled command-and-control (C&C) server.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

When it comes to the Nexus banking trojan and other Android malware, the first way that you can protect your devices and the data they contain is by not sideloading apps. While it may be convenient to install an app without going through an official app store like the Google Play Store, this also puts you at risk as you have no idea what its APK installation file may actually contain.

At the same time, you want to make sure that Google Play Protect is enabled on your Android smartphone as it scans any new apps you install as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps

Even if you only download apps from official sources, there’s still a chance that you may accidentally install a malicious app. Bad apps manage to slip through the cracks from time to time which is why you should always be careful when installing any new app. Read reviews, do your research and if an app seems too good to be true, it probably is.

Since the Nexus banking trojan is still being actively developed and likely bringing in quite a lot of money for its creators, this likely isn’t the last time we’ll hear about it, especially as new capabilities are added to it.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • kep55
    Oh, but using your toy phone for banking is perfectly safe. Just like using the 'net is perfectly safe for proprietary, confidential, business critical data.