Famous Banking Applications Now at Risk of Credential Theft
Threat Actors (TAs) commonly promote their malware in cybercrime forums as it enables them to profit from their illicit activities, enhance their standing among other cybercriminals, and expand the reach of their malware to a larger audience.
Cyble Research and Intelligence Labs (CRIL) actively monitors cybercrime forums and shares information whenever a new strain of malware is discovered and advertised by TAs.
CRIL recently discovered an advertisement on a Russian cybercrime forum for an Android banking trojan called Nexus, offered by a TA. According to the TA, the malware is a new project continuously developed and compatible with Android versions up to 13.
The below figure shows the TAs advertisement on the cybercrime forum.
In their advertisement, the TA also included a screenshot of the Nexus panel and a list of its target applications, as shown below.
Further investigations revealed that the Nexus malware was being distributed through phishing pages disguised as legitimate websites of YouTube Vanced. The phishing pages included sites such as youtubeadvanced[.]net and youtubevanvedadw[.]net, among others.
After analyzing the Nexus samples obtained from the phishing pages, it was determined that the malware’s code shares similarities with that of S.O.V.A banking trojan, which was first discovered in mid-2021 and specifically designed to target Android devices. This blog provides a detailed technical overview of the Nexus Android banking trojan.
Technical Analysis
APK Metadata Information
- App Name: Youtube Vanced
- Package Name: com.toss.soda
- SHA256 Hash: 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f
The figure 3 shows the metadata information of an application.
The figure below shows the application icon and name displayed on the Android device.
Manifest Description
The malware requests users for 50 different permissions, which it abuses at least 14. These dangerous permissions are listed below.
| Permissions | Description |
| READ_SMS | Access SMSs from the victim’s device. |
| RECEIVE_SMS | Intercept SMSs received on the victim’s device |
| READ_CONTACTS | Access phone contacts |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| SEND_SMS | Allows an application to send SMS messages. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files in the device’s external storage |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security |
| GET_ACCOUNTS | Allows access to the list of accounts in the Accounts Service. |
| GET_TASKS | Allows an application to retrieve information about currently and recently running tasks. |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage |
| REQUEST_INSTALL_PACKAGES | Malicious applications can use this to try and trick users into installing additional malicious packages. |
| SYSTEM_ALERT_WINDOW | Allows an application to show system-alert windows. Malicious applications can take over the entire screen of the phone. |
| WRITE_CONTACTS | Allows an application to modify the contact (address) data stored on your phone |
We observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first screen, as shown in the figure below.
Upon examining the Dex, we found that the components specified in the manifest file were absent. It suggests that the application has been packed.
After being executed, the malware unpacks the IWGFPqP.json file from the assets section of the APK file. The unpacked file is then dropped in the application system folder containing the malicious code.
Source Code Review
The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the victim grants this permission, the malware exploits the service to automatically approve requested permissions, enable device administration, and initiate keylogging activities.
The malware operates surreptitiously by establishing a connection to the Command and Control (C&C) server via the following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including Accessibility logs and a roster of installed applications to the C&C server as shown in the below figure.
Upon receiving the list of installed applications, the command and control (C&C) server verify it against the targeted list of banking applications. If a match is found, the C&C server sends an “enableinject” command, including the specific application’s package name, as shown in the code snippet below.
Upon receiving the “enableinject” command from the C&C server, the Nexus banking trojan on the victim’s device downloads the HTML injection code for the targeted application based on the package name received. The downloaded HTML injection code is essentially a phishing page for the specific banking application, which is launched in the WebView interface whenever the victim interacts with the targeted applications. By utilizing this injection technique, the TA can easily obtain the targeted banking application credentials.
The below image shows the code of Nexus malware downloading HTML phishing pages.
The table below depicts the package names of the banking applications that Nexus explicitly targets.
| tr.com.sekerbilisim.mbank |
| finansbank.enpara |
| com.ziraat.ziraatmobil |
| com.ykb.android |
| com.vakifbank.mobile |
| com.tmobtech.halkbank |
| com.teb |
| com.pttfinans |
| com.pozitron.iscep |
| com.mobillium.papara |
| com.kuveytturk.mobil |
| com.ingbanktr.ingmobil |
| com.htsu.hsbepersonalbanking |
| com.garanti.cepsubesi |
| com.finansbank.mobile.cepsube |
| com.denizbank mobildeniz |
| com.akbank.android.apps.akbank_direkt |
| app.wizink.es |
| com.imaginbank.app |
| com kutxabank.android |
| com.cajasur.android |
| com.bbva.bbvacontigo |
| com.cajaingenieros.android.bancamovil |
| com. fibabanka.mobile |
| com.bancodebogota.bancamovil |
| www. ingdirect.nativeframe |
| com.bankinter.launcher |
| com.rsi |
| com.bbva.netcash |
| es.bancosantander.apps |
| es.evobanco.bancamovil |
| com.tecnocom.cajalaboral |
| com.grupocajamar.wefferent |
| net.inverline.bancosabadell.officelocator.android |
| es.ibercaja.ibercajaapp Banks |
| es.lacaixa.mobile.android.newwapicon |
| com.lynxspa.bancopopolare |
| com latuabancaperandroid |
| com.app.ecobank |
| com.paypal.android.p2pmobile |
The Nexus malware can acquire seed phrases from Trust and Exodus wallets and steal wallet balances by abusing the Accessibility service, as shown in the below code snippet.
Like the SOVA v5 variant, the Nexus malware incorporates a ransomware module that encrypts files stored on the compromised device.
The figure below illustrates this function.
A PingTasks service has been registered by the malware, which is responsible for receiving commands from the C&C server and carrying out the respective operations.
Below, we have listed the commands used by the TAs to control infected devices:
| Command | Description |
| get2fa | Extracting 2FA code from Google Authenticator |
| start2faactivator | Enables 2FA activator |
| stop2faactivator | Disables 2FA activator |
| delbot | Deactivate the device admin and uninstall the malware |
| openurl | Opens the URL received from the C&C server into the WebView |
| startlock | Locks the screen |
| stoplock | Unlocks the screen |
| getperm | Starts device admin activation |
| delapp | Functionality not implemented, saving Boolean value into shared preference |
| clearappdata | Not Implemented |
| startextraverbose | Saving value in the shared preference variable to TRUE. |
| stopextraverbose | Saving value in the shared preference variable to FALSE. |
| starthidenpush | Hides push notifications |
| stophidenpush | Stops hiding push notifications |
| starthidesms | Hide SMSs |
| stophidesms | Stops hiding SMSs |
| scancookie | Insert package name to the cookie-stealing list |
| stopcookie | Removes package name from the cookie-stealing list |
| scaninject | Add injections to the “injects” list |
| stopscan | Remove injections from the “injects” list |
| getsms | Steal SMSs from an infected device |
| clearsmslist | Delete SMSs from an infected device |
| startkeylogs | Starts keylogging |
| stopkeylogs | Stops keylogging |
| contactssender | Send SMSs to the contacts present in an infected device |
| sendsms | Sends SMSs from an infected device |
| openinject | Downloads and start injection for targeted application |
| getapps | Collecting basic device information |
| sendpush | Shows push notification |
| enableinject | Receives the target app for injection |
| runapp | Run application based on server response |
| forwardcall | Forwards the call |
| call | Make the call |
| disableinject | Delete injections |
| getcontacts | Collects contact list from the infected device |
| startmute | Mutes an infected device |
| stopmute | Unmutes an infected device |
| gettrustwallet | Steal the Trust wallet seed phrase and balance |
| getexodus | Steals Exodus wallet seed phrase and balance |
Conclusion
In the past, TAs had created the fifth iteration of the S.O.V.A. Android banking trojan, which not only targeted the banking sector but also included a ransomware feature. Now, TAs are advertising a rebranded version of the S.O.V.A. malware called “Nexus” on cybercrime forums with an updated list of targeted banks. By exploiting accessibility services, the “Nexus” Android banking Trojan can now target 40 banking applications to steal user credentials.
Cyble Research & Intelligence Labs continuously monitors campaigns. We will keep updating our readers with the latest information as and when we find it.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Discovery | T1418 | Application discovery |
| Credential Access | T1411 | Input Prompt |
| Impact | T1582 | SMS Control |
| Impact | T1447 | Delete device data |
| Collection | T1432 | Access Contacts List |
| Collection | T1412 | Access SMS list |
| Defense Evasion | T1418 | Application Discovery |
| Command and Control | T1436 | Commonly Used Port |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 3dcd8e0cf7403ede8d56df9d53df26266176c3c9255a5979da08f5e8bb60ee3f | SHA256 | Nexus APK |
| 1c99c658e30c672927dccbd8628107abf36d990d | SHA1 | Nexus APK |
| d87e04db4f4a36df263ecbfe8a8605bd | MD5 | Nexus APK |
| hxxp://5.161.97[.]57:5000 | URL | C&C URL |
