It first appeared in June last year and is now being openly advertised by its creators on hacker forums to increase its reach. Nexus’ primary targets are 450 banking and cryptocurrency apps.
Nexus asks for 50 permissions and abuses at least 14 of them
It is capable of performing overlay attacks, i.e. replicating a legitimate interface to trick you into entering your credentials, and uses keylogging to record your keystrokes. It can even steal SMS messages to get access to two-factor authentication codes and can abuse Accessibility Services to steal information from crypto wallets, 2-Step Verification codes generated by Google Authenticator, and website cookies. The trojan can also delete messages received by you.
Nexus is said to be in the beta stage but it’s already being used by many threat actors to carry out nefarious activities. Cybercriminals who do not know how to make their own malware can rent it for $3,000 a month.
It looks like the developer is from a CIS (Commonwealth of Independent States) country and has prohibited the trojan’s use in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russian Federation, Tajikistan, Uzbekistan, Ukraine, and Indonesia.
To protect yourself from infections, try to only download apps from Google Play and enable Google Play Protect. Use strong passwords and enable biometric security features where possible and be very careful when granting permissions.
Source: Phone Arena