Nexus: The Latest Android Banking Trojan with SOVA Connections

Famous Banking Applications Now at Risk of Credential Theft

Threat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their illicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a larger audience.

Cyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information whenever a new strain of malware is discovered and advertised by TAs.

CRIL recently discovered an advertisement on a Russian cybercrime forum for an Android banking trojan called Nexus, offered by a TA. According to the TA, the malware is a new project continuously developed and compatible with Android versions up to 13.

The below figure shows the TAs advertisement on the cybercrime forum.

Figure 1 – TA’s Advertisement on the Cybercrime Forum

In their advertisement, the TA also included a screenshot of the Nexus panel and a list of its target applications, as shown below.

Figure 2 – List of Applications Targeted by Nexus

Further investigations revealed that the Nexus malware was being distributed through phishing pages disguised as legitimate websites of YouTube Vanced. The phishing pages included sites such as youtubeadvanced[.]net and youtubevanvedadw[.]net, among others.

After analyzing the Nexus samples obtained from the phishing pages, it was determined that the malware’s code shares similarities with that of S.O.V.A banking trojan, which was first discovered in mid-2021 and specifically designed to target Android devices. This blog provides a detailed technical overview of the Nexus Android banking trojan.

Technical Analysis

APK Metadata Information

  • App Name:  Youtube Vanced
  • Package Name: com.toss.soda
  • SHA256 Hash: 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f

The figure 3 shows the metadata information of an application.

Figure 3 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 4 – App Icon and Name

Manifest Description

The malware requests users for 50 different permissions, which it abuses at least 14. These dangerous permissions are listed below.

READ_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files in the device’s external storage
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security
GET_ACCOUNTSAllows access to the list of accounts in the Accounts Service.
GET_TASKSAllows an application to retrieve information about currently and recently running tasks.
READ_EXTERNAL_STORAGEAllows an application to read from external storage
REQUEST_INSTALL_PACKAGESMalicious applications can use this to try and trick users into installing additional malicious packages.
SYSTEM_ALERT_WINDOWAllows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone.
WRITE_CONTACTSAllows an application to modify the contact (address) data stored on your phone

We observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first screen, as shown in the figure below.

Figure 5 – Launcher Activity

Upon examining the Dex, we found that the components specified in the manifest file were absent. It suggests that the application has been packed.

Figure 6 – Components Defined in Manifest are Missing in the Dex

After being executed, the malware unpacks the IWGFPqP.json file from the assets section of the APK file. The unpacked file is then dropped in the application system folder containing the malicious code.

Figure 7 – Malware Drops Unpacked File

Source Code Review

The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the victim grants this permission, the malware exploits the service to automatically approve requested permissions, enable device administration, and initiate keylogging activities.

The malware operates surreptitiously by establishing a connection to the Command and Control (C&C) server via the following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including Accessibility logs and a roster of installed applications to the C&C server as shown in the below figure.

Figure 8 – Malware Sends Installed Applications List to the C&C Server

Upon receiving the list of installed applications, the command and control (C&C) server verify it against the targeted list of banking applications. If a match is found, the C&C server sends an “enableinject” command, including the specific application’s package name, as shown in the code snippet below.

Figure 9 – Malware Received the Command from the C&C Server Based on the Target Application

Upon receiving the “enableinject” command from the C&C server, the Nexus banking trojan on the victim’s device downloads the HTML injection code for the targeted application based on the package name received. The downloaded HTML injection code is essentially a phishing page for the specific banking application, which is launched in the WebView interface whenever the victim interacts with the targeted applications. By utilizing this injection technique, the TA can easily obtain the targeted banking application credentials.

The below image shows the code of Nexus malware downloading HTML phishing pages.

Figure 10 – Malware downloading Phishing HTML pages from C&C Server

The table below depicts the package names of the banking applications that Nexus explicitly targets.
com.denizbank mobildeniz
www. ingdirect.nativeframe
es.ibercaja.ibercajaapp Banks
com latuabancaperandroid

The Nexus malware can acquire seed phrases from Trust and Exodus wallets and steal wallet balances by abusing the Accessibility service, as shown in the below code snippet.

Figure 11 – Malware Extracts Balance and Seed Phrase of Crypto Wallets

Like the SOVA v5 variant, the Nexus malware incorporates a ransomware module that encrypts files stored on the compromised device.

The figure below illustrates this function.

Figure 12 – Ransomware Module in the Nexus Malware

A PingTasks service has been registered by the malware, which is responsible for receiving commands from the C&C server and carrying out the respective operations.

Figure 13 – Malware Receives Commands from the C&C Server

Below, we have listed the commands used by the TAs to control infected devices:

get2faExtracting 2FA code from Google Authenticator
start2faactivatorEnables 2FA activator
stop2faactivatorDisables 2FA activator
delbotDeactivate the device admin and uninstall the malware
openurlOpens the URL received from the C&C server into the WebView
startlockLocks the screen
stoplockUnlocks the screen
getpermStarts device admin activation
delappFunctionality not implemented, saving Boolean value into shared preference
clearappdataNot Implemented
startextraverboseSaving value in the shared preference variable to TRUE.
stopextraverboseSaving value in the shared preference variable to FALSE.
starthidenpushHides push notifications
stophidenpushStops hiding push notifications
starthidesmsHide SMSs
stophidesmsStops hiding SMSs
scancookieInsert package name to the cookie-stealing list
stopcookieRemoves package name from the cookie-stealing list
scaninjectAdd injections to the “injects” list
stopscanRemove injections from the “injects” list
getsmsSteal SMSs from an infected device
clearsmslistDelete SMSs from an infected device
startkeylogsStarts keylogging
stopkeylogsStops keylogging
contactssenderSend SMSs to the contacts present in an infected device
sendsmsSends SMSs from an infected device
openinjectDownloads and start injection for targeted application
getappsCollecting basic device information
sendpushShows push notification
enableinjectReceives the target app for injection
runappRun application based on server response
forwardcallForwards the call
callMake the call
disableinjectDelete injections
getcontactsCollects contact list from the infected device
startmuteMutes an infected device
stopmuteUnmutes an infected device
gettrustwalletSteal the Trust wallet seed phrase and balance
getexodusSteals Exodus wallet seed phrase and balance


In the past, TAs had created the fifth iteration of the S.O.V.A. Android banking trojan, which not only targeted the banking sector but also included a ransomware feature. Now, TAs are advertising a rebranded version of the S.O.V.A. malware called “Nexus” on cybercrime forums with an updated list of targeted banks. By exploiting accessibility services, the “Nexus” Android banking Trojan can now target 40 banking applications to steal user credentials.

Cyble Research & Intelligence Labs continuously monitors campaigns. We will keep updating our readers with the latest information as and when we find it.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
DiscoveryT1418Application discovery
Credential AccessT1411Input Prompt
ImpactT1582SMS Control
ImpactT1447Delete device data
CollectionT1432Access Contacts List
CollectionT1412Access SMS list
Defense EvasionT1418Application Discovery
Command and ControlT1436Commonly Used Port
ExfiltrationT1567Exfiltration Over Web Service

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3fSHA256Nexus APK
1c99c658e30c672927dccbd8628107abf36d990dSHA1Nexus APK
d87e04db4f4a36df263ecbfe8a8605bdMD5Nexus APK
hxxp://5.161.97[.]57:5000URLC&C URL

Comments are closed.

Scroll to Top