You are using an older browser version. Please use a supported version for the best MSN experience.

New Nexus trojan targets 450 financial apps and is taking over bank accounts

Tom's Guide 23/03/2023 Anthony Spadafora
null © Shutterstock null

Cybercriminals are now using a new Android banking trojan capable of targeting 450 different banking and financial apps.

While the Nexus banking trojan may still be in the early development stage, a new report from the Italian cybersecurity firm Cleafy has highlighted the serious threat it poses to Android smartphone users.

If one of the best Android phones is infected with Nexus, cybercriminals can use the banking trojan’s capabilities to perform account takeovers, as it not only steals passwords from banking apps but can also intercept both two-factor authentication (2FA) codes sent via text and even codes from the Google Authenticator app. Like other similar malware, it does this by abusing Android’s accessibility services.

In a blog post from the threat intelligence firm Cyble released earlier this month, its security researchers detailed how Nexus is being distributed through phishing pages disguised as legitimate websites of YouTube Vanced, which is a modified third-party version of the popular online video platform.

Even though it’s still in its early days, Nexus is a banking trojan to keep an eye on as it already has pretty impressive abilities and will likely only improve further as development on it continues.


The Nexus banking trojan was first discovered in an advertisement on a Russian cybercrime forum which explained that it is a new project which is compatible with Android versions up to Android 13.

Just like with other banking trojans, it’s being distributed using a Malware-as-a-Service model where hackers pay other hackers for access to the malware. However, as The Hacker News points out, its creators have included explicit rules that prevent it from being used in the following countries: Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

The way in which Nexus is able to steal and drain the bank accounts of victims is by performing overlay attacks. For those unfamiliar, these kinds of attacks involve putting an overlay or a fake version on top of a legitimate banking app. Victims go to login to their accounts as they normally do but the overlay captures their username and password. Likewise, Nexus also includes a keylogger to steal any passwords a user may type in or autofill on their phone.

In the latest version of Nexus, the banking trojan can now erase text messages received on an infected device, stop its 2FA stealer module and periodically update itself by pinging a cybercriminal-controlled command-and-control (C&C) server.

How to stay safe from Android malware

When it comes to the Nexus banking trojan and other Android malware, the first way that you can protect your devices and the data they contain is by not sideloading apps. While it may be convenient to install an app without going through an official app store like the Google Play Store, this also puts you at risk as you have no idea what its APK installation file may actually contain.

At the same time, you want to make sure that Google Play Protect is enabled on your Android smartphone as it scans any new apps you install as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps

Even if you only download apps from official sources, there’s still a chance that you may accidentally install a malicious app. Bad apps manage to slip through the cracks from time to time which is why you should always be careful when installing any new app. Read reviews, do your research and if an app seems too good to be true, it probably is.

Since the Nexus banking trojan is still being actively developed and likely bringing in quite a lot of money for its creators, this likely isn’t the last time we’ll hear about it, especially as new capabilities are added to it.

More from Tom's Guide

image beaconimage beaconimage beacon