Nexus banking trojan Explained

What is Nexus banking trojan?

Nexus banking trojan is a malicious infection targeting Anrdoid users. According to researchers at Cyble, Nexus has close connections to a notorious S.O.V.A banking trojan that was initially discovered in 2021. It’s classified as a banking trojan because it targets banking apps and aims to steal users’ credentials. Currently, it can target over 40 banking apps.

When the app installs on a device, it immediately requests 50 permissions, including Accessibility Service. Gaining the Accessibility Service permission is key because once malware can get that, it can essentially grant itself any additional permissions. It can also prevent users from disabling the Accessibility Service. The Nexus banking trojan asks users for 50 permissions, which includes access to SMS (including permission to intercept and send them) and phone contacts (including permission to modify phone contacts), permission to read, write or delete files in a device’s external storage, and permission to initiate a phone call.

Once it gains the necessary permissions, Nexus banking trojan will collect information about the device (e.g. OS version, IP address, phone number, and mobile network data). It also checks the installed apps for a match to its targetted apps. If it finds a match, Nexus banking trojan downloads an HTML injection code. When you try to open your banking app, the trojan would show a fake overlay screen that matches how the app looks. If you type your login credentials, the trojan would immediately send them to the trojan operators. Essentially, by misusing accessibility services, the app can steal login credentials from 40 different banking apps.

The Nexus banking trojan can also record keystrokes, and manage SMSs, calls, and notifications (e.g. read SMS, send, and delete them). Access to SMS messages allows the trojan to intercept messages with one-time passwords and multi-factor authentication codes. It can also access Google Authenticator to get the necessary codes. Because the trojan can manage notifications, it can hide legitimate and show fake ones. It could also delete apps, open apps, lock/unlock the device, open URLs in your browser, display fake system alert overlays, and steal login credentials for cryptocurrency wallets (e.g. Exodus or Trust). Finally, it can manage connected external storage (e.g. read or delete files in it).

Evidently, Nexus banking trojan is a very serious malware infection that can have very serious consequences, including serious financial loss and lost access to important accounts. It can be detected by an anti-virus app installed on the device but can be quite difficult to notice without it.

How is Nexus banking trojan distributed?

According to Cyble, Nexus is currently being distributed through phishing pages that are disguised to look like legitimate YouTube Vanced websites (e.g. youtubeadvanced.net and youtubevanvedadw.net). Links to these fake websites may be promoted on various forums and other websites, where users may come across them, believe the sites to be legitimate and download the malicious app.

How can you avoid infecting your Android device with malware:

• Use official sources (official websites and stores) to download apps.

One of the most common ways users pick up malware is by downloading apps from unofficial websites and poorly regulated third-party app stores. Official stores like Google Play Store and iOS App Store have security measures to prevent malicious apps from being listed. It’s not impossible that the Google Play Store would have a malicious app on it because cybercriminals constantly come up with ways to bypass its security measures. Nonetheless, the chances of you downloading malware from a legitimate app store are significantly smaller than when using unregulated third-party app stores.

It should also be mentioned that you need to research apps before installing them. Oftentimes, a simple search with a search engine is enough.

• Always question why an app requests the permissions it does.

Before installing any app, review its requested permissions and consider why it needs the permissions. For example, if a mobile game or a photo editing app requests permission to access your contacts, SMS messages, etc., when they clearly do not need them to function, it should cause suspicion. If you notice permission requests that do not make sense, do not install the app.

• Secure your accounts with multi-factor authentication whenever possible.

To prevent unauthorized access to your accounts even when your passwords are known, you need to enable multi-factor authentication.

• Do not click on unknown links in emails, text messages, or anywhere else.

To prevent malware and avoid falling for phishing campaigns, you should never click on unknown links in emails, text messages, random websites, etc. Malicious actors often try to phish users’ credentials by sending SMS messages with links to fake online bank login pages. A link may also redirect you to a site that initiates a malicious download.

• Install updates regularly.

Make sure to install updates on a regular basis. Malware often uses vulnerabilities to get in and updates patch known ones, preventing an infection. So by simply installing updates as they come out, you would be preventing infections.

How to remove Nexus banking trojan from Android

If you believe your Android device is infected, you need to take urgent action to remove Nexus banking trojan. Immediately disable the WiFi and remove your SIM card to prevent the malware from turning on mobile data. When your device is disconnected from the Internet, perform a factory reset. If you want to have a backup of your personal files, make sure you exclude the apps. If you cannot do a factory reset for whatever reason, try removing the app manually while the internet is disabled.

When you are completely sure that your device is clean, change all your passwords as soon as possible. Check all your bank transactions and if you notice anything amiss, immediately contact your bank to inform them of the situation. They may be able to reverse the transactions(s).

Offers

Download Removal Toolto scan for Nexus banking trojanUse our recommended removal tool to scan for Nexus banking trojan. Trial version of provides detection of computer threats like Nexus banking trojan and assists in its removal for FREE. You can delete detected registry entries, files and processes yourself or purchase a full version.

More information about SpyWarrior and Uninstall Instructions. Please review SpyWarrior EULA and Privacy Policy. SpyWarrior scanner is free. If it detects a malware, purchase its full version to remove it.

• 

  WiperSoft Review Details WiperSoft (www.wipersoft.com) is a security tool that provides real-time security from potential threats. Nowadays, many users tend to download free software from the Intern ...

  Download|more
• 

  Is MacKeeper a virus? MacKeeper is not a virus, nor is it a scam. While there are various opinions about the program on the Internet, a lot of the people who so notoriously hate the program have neve ...

  Download|more
• 

  While the creators of MalwareBytes anti-malware have not been in this business for long time, they make up for it with their enthusiastic approach. Statistic from such websites like CNET shows that th ...

  Download|more

Quick Menu

Step 1. Delete Nexus banking trojan using Safe Mode with Networking.

• Windows 8/8.1/10
• Windows XP/7/Vista

Remove Nexus banking trojan from Windows 7/Windows Vista/Windows XP

1. Click on Start and select Shutdown.
2. Choose Restart and click OK.
3. Start tapping F8 when your PC starts loading.
4. Under Advanced Boot Options, choose Safe Mode with Networking.
5. Open your browser and download the anti-malware utility.
6. Use the utility to remove Nexus banking trojan

Remove Nexus banking trojan from Windows 8/Windows 10

1. On the Windows login screen, press the Power button.
2. Tap and hold Shift and select Restart.
3. Go to Troubleshoot → Advanced options → Start Settings.
4. Choose Enable Safe Mode or Safe Mode with Networking under Startup Settings.
5. Click Restart.
6. Open your web browser and download the malware remover.
7. Use the software to delete Nexus banking trojan

Step 2. Restore Your Files using System Restore

• Windows 8/8.1/10
• Windows XP/7/Vista

Delete Nexus banking trojan from Windows 7/Windows Vista/Windows XP

1. Click Start and choose Shutdown.
2. Select Restart and OK
3. When your PC starts loading, press F8 repeatedly to open Advanced Boot Options
4. Choose Command Prompt from the list.
5. Type in cd restore and tap Enter.
6. Type in rstrui.exe and press Enter.
7. Click Next in the new window and select the restore point prior to the infection.
8. Click Next again and click Yes to begin the system restore.

Delete Nexus banking trojan from Windows 8/Windows 10

1. Click the Power button on the Windows login screen.
2. Press and hold Shift and click Restart.
3. Choose Troubleshoot and go to Advanced options.
4. Select Command Prompt and click Restart.
5. In Command Prompt, input cd restore and tap Enter.
6. Type in rstrui.exe and tap Enter again.
7. Click Next in the new System Restore window.
8. Choose the restore point prior to the infection.
9. Click Next and then click Yes to restore your system.