What is Nexus banking trojan?

Nexus banking trojan is a malicious infection targeting Anrdoid users. According to researchers at Cyble, Nexus has close connections to a notorious S.O.V.A banking trojan that was initially discovered in 2021. It’s classified as a banking trojan because it targets banking apps and aims to steal users’ credentials. Currently, it can target over 40 banking apps.

Nexus banking trojan

When the app installs on a device, it immediately requests 50 permissions, including Accessibility Service. Gaining the Accessibility Service permission is key because once malware can get that, it can essentially grant itself any additional permissions. It can also prevent users from disabling the Accessibility Service. The Nexus banking trojan asks users for 50 permissions, which includes access to SMS (including permission to intercept and send them) and phone contacts (including permission to modify phone contacts), permission to read, write or delete files in a device’s external storage, and permission to initiate a phone call.

Once it gains the necessary permissions, Nexus banking trojan will collect information about the device (e.g. OS version, IP address, phone number, and mobile network data). It also checks the installed apps for a match to its targetted apps. If it finds a match, Nexus banking trojan downloads an HTML injection code. When you try to open your banking app, the trojan would show a fake overlay screen that matches how the app looks. If you type your login credentials, the trojan would immediately send them to the trojan operators. Essentially, by misusing accessibility services, the app can steal login credentials from 40 different banking apps.

The Nexus banking trojan can also record keystrokes, and manage SMSs, calls, and notifications (e.g. read SMS, send, and delete them). Access to SMS messages allows the trojan to intercept messages with one-time passwords and multi-factor authentication codes. It can also access Google Authenticator to get the necessary codes. Because the trojan can manage notifications, it can hide legitimate and show fake ones. It could also delete apps, open apps, lock/unlock the device, open URLs in your browser, display fake system alert overlays, and steal login credentials for cryptocurrency wallets (e.g. Exodus or Trust). Finally, it can manage connected external storage (e.g. read or delete files in it).

Evidently, Nexus banking trojan is a very serious malware infection that can have very serious consequences, including serious financial loss and lost access to important accounts. It can be detected by an anti-virus app installed on the device but can be quite difficult to notice without it.

How is Nexus banking trojan distributed?

According to Cyble, Nexus is currently being distributed through phishing pages that are disguised to look like legitimate YouTube Vanced websites (e.g. youtubeadvanced.net and youtubevanvedadw.net). Links to these fake websites may be promoted on various forums and other websites, where users may come across them, believe the sites to be legitimate and download the malicious app.

How can you avoid infecting your Android device with malware:

  • Use official sources (official websites and stores) to download apps.

One of the most common ways users pick up malware is by downloading apps from unofficial websites and poorly regulated third-party app stores. Official stores like Google Play Store and iOS App Store have security measures to prevent malicious apps from being listed. It’s not impossible that the Google Play Store would have a malicious app on it because cybercriminals constantly come up with ways to bypass its security measures. Nonetheless, the chances of you downloading malware from a legitimate app store are significantly smaller than when using unregulated third-party app stores.

It should also be mentioned that you need to research apps before installing them. Oftentimes, a simple search with a search engine is enough.

  • Always question why an app requests the permissions it does.

Before installing any app, review its requested permissions and consider why it needs the permissions. For example, if a mobile game or a photo editing app requests permission to access your contacts, SMS messages, etc., when they clearly do not need them to function, it should cause suspicion. If you notice permission requests that do not make sense, do not install the app.

  • Secure your accounts with multi-factor authentication whenever possible.

To prevent unauthorized access to your accounts even when your passwords are known, you need to enable multi-factor authentication.

  • Do not click on unknown links in emails, text messages, or anywhere else.

To prevent malware and avoid falling for phishing campaigns, you should never click on unknown links in emails, text messages, random websites, etc. Malicious actors often try to phish users’ credentials by sending SMS messages with links to fake online bank login pages. A link may also redirect you to a site that initiates a malicious download.

  • Install updates regularly.

Make sure to install updates on a regular basis. Malware often uses vulnerabilities to get in and updates patch known ones, preventing an infection. So by simply installing updates as they come out, you would be preventing infections.

How to remove Nexus banking trojan from Android

If you believe your Android device is infected, you need to take urgent action to remove Nexus banking trojan. Immediately disable the WiFi and remove your SIM card to prevent the malware from turning on mobile data. When your device is disconnected from the Internet, perform a factory reset. If you want to have a backup of your personal files, make sure you exclude the apps. If you cannot do a factory reset for whatever reason, try removing the app manually while the internet is disabled.

When you are completely sure that your device is clean, change all your passwords as soon as possible. Check all your bank transactions and if you notice anything amiss, immediately contact your bank to inform them of the situation. They may be able to reverse the transactions(s).


More information about SpyWarrior and Uninstall Instructions. Please review SpyWarrior EULA and Privacy Policy. SpyWarrior scanner is free. If it detects a malware, purchase its full version to remove it.

  • WiperSoft Review Details WiperSoft (www.wipersoft.com) is a security tool that provides real-time security from potential threats. Nowadays, many users tend to download free software from the Intern ...

  • Is MacKeeper a virus? MacKeeper is not a virus, nor is it a scam. While there are various opinions about the program on the Internet, a lot of the people who so notoriously hate the program have neve ...

  • While the creators of MalwareBytes anti-malware have not been in this business for long time, they make up for it with their enthusiastic approach. Statistic from such websites like CNET shows that th ...


Quick Menu

Step 1. Delete Nexus banking trojan using Safe Mode with Networking.

Remove Nexus banking trojan from Windows 7/Windows Vista/Windows XP
  1. Click on Start and select Shutdown.
  2. Choose Restart and click OK. Windows 7 - restart
  3. Start tapping F8 when your PC starts loading.
  4. Under Advanced Boot Options, choose Safe Mode with Networking. Remove Nexus banking trojan - boot options
  5. Open your browser and download the anti-malware utility.
  6. Use the utility to remove Nexus banking trojan
Remove Nexus banking trojan from Windows 8/Windows 10
  1. On the Windows login screen, press the Power button.
  2. Tap and hold Shift and select Restart. Windows 10 - restart
  3. Go to Troubleshoot → Advanced options → Start Settings.
  4. Choose Enable Safe Mode or Safe Mode with Networking under Startup Settings. Win 10 Boot Options
  5. Click Restart.
  6. Open your web browser and download the malware remover.
  7. Use the software to delete Nexus banking trojan

Step 2. Restore Your Files using System Restore

Delete Nexus banking trojan from Windows 7/Windows Vista/Windows XP
  1. Click Start and choose Shutdown.
  2. Select Restart and OK Windows 7 - restart
  3. When your PC starts loading, press F8 repeatedly to open Advanced Boot Options
  4. Choose Command Prompt from the list. Windows boot menu - command prompt
  5. Type in cd restore and tap Enter. Uninstall Nexus banking trojan - command prompt restore
  6. Type in rstrui.exe and press Enter. Delete Nexus banking trojan - command prompt restore execute
  7. Click Next in the new window and select the restore point prior to the infection. Nexus banking trojan - restore point
  8. Click Next again and click Yes to begin the system restore. Nexus banking trojan removal - restore message
Delete Nexus banking trojan from Windows 8/Windows 10
  1. Click the Power button on the Windows login screen.
  2. Press and hold Shift and click Restart. Windows 10 - restart
  3. Choose Troubleshoot and go to Advanced options.
  4. Select Command Prompt and click Restart. Win 10 command prompt
  5. In Command Prompt, input cd restore and tap Enter. Uninstall Nexus banking trojan - command prompt restore
  6. Type in rstrui.exe and tap Enter again. Delete Nexus banking trojan - command prompt restore execute
  7. Click Next in the new System Restore window. Get rid of Nexus banking trojan - restore init
  8. Choose the restore point prior to the infection. Nexus banking trojan - restore point
  9. Click Next and then click Yes to restore your system. Nexus banking trojan removal - restore message

Site Disclaimer

2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.

The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.

Leave a Reply