Android malware on the prowl: Targets 450 financial institutions. Learn how to safeguard your mobile banking security. Cybercriminals are targeting customers of 450 financial institutions worldwide with a dangerous new android malware. It’s a banking trojan called Nexus and is being promoted as malware-as-a-service on underground hacking forums.
The malware can display rogue overlays, steal cookies, harvest passwords, intercept SMS messages, and grab two-factor authentication codes from Google Authenticator. Nexus also has ties to another Android banking trojan, SOVA.
Xenomorph
A dangerous new version of Android malware has been spotted in the wild that is capable of steal banking applications login credentials and account balances. The malware is dubbed Xenomorph, and according to cybersecurity experts at ThreatFabric, it’s one of the most advanced Android banking trojans currently in use. It’s believed to have attacked more than 400 banks and financial institutions, including cryptocurrency wallets. The latest iteration of Xenomorph has added a number of new capabilities, including an automatic transfer system (ATS) framework and the ability to steal login information from more than 400 banking apps.
Xenomorph was first discovered by ThreatFabric in February of 2022, and the initial iteration targeted 56 European banks through malicious apps in the Google Play store. It also used injections to perform overlay attacks and took advantage of Accessibility Services rights to intercept notifications and steal one-time codes. Its creators, Hadoken Security, continued to develop the malware throughout the year, but it never achieved the popularity of other Android banking trojans such as Octo or Hook.
The new Xenomorph is six times more powerful than the original iteration and has a number of features that make it an especially dangerous threat for users. It can automatically steal data from more than 50 different apps, including banking and MFA code-generating apps, and can remotely execute payment transactions. It also snoops on SMS messages and can install or remove apps on a device.
Unlike previous versions of the malware, which were distributed via legitimate apps such as workout and fitness trackers, the latest variant is being disseminated through a fake currency converter app in the Google Play store. It’s being advertised as an update to the real-world application – and can be downloaded by users who visit a compromised website or click a malicious link.
While this is a serious problem, there are ways you can protect yourself from such threats. Always download apps from the official stores like Google Play and never use third-party sources. Additionally, rebooting your device regularly will help to clear any malware from the system.
FluHorse
FluHorse malware is embedded in Android apps that mimic legitimate applications, prompting victims to enter their credentials. This data is then sent to an attacker-controlled server. Additionally, the malware can intercept incoming SMS messages including two-factor authentication (2FA) codes. This allows hackers to bypass 2FA protection and access victims’ accounts. The malware has been observed in Eastern Asia and is typically distributed via email. High-profile entities such as governmental officials are often targeted at the initial stage of the attack.
Malware has a variety of uses, from stealing passwords and other personal information to hijacking a device. It can also encrypt files and demand a ransom to unlock them. These types of attacks can be difficult to detect and can have a significant impact on an organization’s productivity and security.
The Xenomorph malware, first discovered by ThreatFabric in February 2022, was able to steal credentials from more than 400 financial institutions worldwide. Its latest version, Xenomorph v3, is far more sophisticated than the previous version and can automate the entire fraud chain, from infection to fund transfers. The malware is currently being distributed by a new distribution platform called Zombinder. Users should always be wary of download links that are received through email or messaging and should verify the app authenticity on the official company website before installing it.
This new version of Xenomorph is more capable than its predecessors and has a number of improved features that make it a serious threat to mobile banking. It can now automatically steal cookies and fingerprints, and it can perform a variety of malicious activities on a victim’s device. It can also steal login information and account balances and execute transactions on the victim’s behalf.
Moreover, the malware can use Android’s Accessibility Services to steal seed and balance data from cryptocurrency wallets. It can also snatch 2FA codes from Google’s Authenticator app. In addition, the malware can snatch cookies from websites of interest and intercept incoming text messages, including 2FA codes.
Despite the numerous security measures in place, malware continues to be a major threat to businesses and individuals. The average APAC business is attacked 1,835 times per week, according to Check Point Research. These attacks are on the rise, and organizations need to remain vigilant in order to protect themselves from these threats.
Drinik
An upgraded version of Drinik malware, which was first spotted in 2016 and was originally used to steal SMSes, has evolved into an Android banking trojan. The malicious code has now been equipped with advanced capabilities including screen recording, keylogging, and abusing Accessibility services. It has also been able to perform overlay attacks and send commands to the device via Firebase Cloud Messaging.
According to analysts at Cyble, this version of Drinik targets customers of 18 banks in India, including State Bank of India (SBI). It impersonates the Income Tax Department and lures users into following its commands by promising them a large refund. This is done by opening a page of the Income Tax Department’s website and stealing user credentials through screen recording.
The malware has been disguised as an app called iAssist, which requests permissions to read SMS messages, call logs, and contacts. Once the user gives the app these permissions, it displays a fake application form and asks them to provide information about their taxes. After the user submits their tax details, it opens a page that looks like a login page of the Income Tax Department’s official app and steals their personal data.
Drinik is part of the SpyNote family of Android malware and is sold to cyber attackers by threat intelligence firm ThreatFabric. It is a popular choice for attackers who want to steal information from Android devices. The malware can steal user names, passwords, and other important details from the phone’s storage, and it can send the data to a remote server.
The researchers at Cyble have discovered a new banking Trojan that steals credit card information, ATM pin numbers, and other sensitive data from Android smartphones. The malware is currently undergoing an active attack campaign and has already stolen thousands of dollars in illicit transactions. The threat actors behind this latest malware campaign are using a new method to hide their tracks, which makes it difficult for security analysts to detect and block them.
The hackers behind this malware are using a technique that’s known as fileless injection, where they inject the malicious code into a legitimate binary. This way, the malware can bypass existing security tools and avoid detection by antivirus software. This is why it’s important to always use a trusted source when downloading apps or APKs, and to disable any unknown features on your device.
Nexus
Nexus, the new banking malware, has multiple capabilities to steal online accounts and potentially extract funds from victims. The authors of the malware have made it available to threat actors through a recently announced malware-as-a-service (MaaS) program, where attackers can rent or subscribe to the tool and use it in their attacks. The trojan is distributed through phishing pages that mimic the website of YouTube Vanced, a third-party app. Once the victim opens the malicious page, the trojan is downloaded and installed on the device.
In its early days, the trojan is already very capable and has already been adopted by several threat actors in big malicious campaigns worldwide. The trojan is also able to perform overlay attacks, meaning that it can cover a legitimate banking interface with a fake one and trick users into entering their credentials. Nexus can also keylog and steal passwords from banking apps, as well as SMS-delivered two-factor authentication codes and information stored in the comparatively secure Google Authenticator app. In addition, it can steal cookies and MAC addresses from browsers, as well as use the Android Accessibility feature to read website cookies.
After being installed on a device, Nexus connects to its C2 server. This is a common way for cybercriminals to control their malware and receive stolen data from it. The trojan is currently targeting financial institutions and cryptocurrency services. It can also infiltrate mobile apps and record audio and video.
Although the trojan is being promoted as a completely new malware, researchers at Cleafy have found similarities with a previous banking trojan known as Sova and suspect code reuse. Sova’s author has even claimed that he or she is the creator of Nexus, but this claim remains unproven.
Once the malware is installed on a device, it can harvest login credentials from more than 450 financial applications and conduct fraud. It also allows threat actors to monitor their bots and the data they collect on a central dashboard. It can even auto-update itself and distribute additional malware. Threat actors who use Nexus can also customize the malware with a web panel that lets them inject over 4,000 banking app login pages to grab credentials.
