A sophisticated Android banking trojan named Herodotus has emerged on the mobile threat landscape, introducing groundbreaking techniques to evade detection systems.
During routine monitoring of malicious distribution channels, the Mobile Threat Intelligence service discovered unknown malicious samples distributed alongside notorious malware variants like Hook and Octo.
Despite sharing distribution infrastructure, these samples revealed closer similarities to Brokewell, a malware family previously identified by ThreatFabric analysts.
However, Herodotus represents a distinct threat combining Brokewell elements with original code designed for advanced evasion.
Active campaigns have been observed targeting users in Italy and Brazil, with the malware offered as Malware-as-a-Service by threat actor K1R0 on underground forums.
.webp)
ThreatFabric researchers identified that Herodotus follows modern banking trojan trends while introducing a capability distinguishing it from other device takeover malware—mimicking human behaviour during remote control sessions to bypass behavioural biometrics detection.
.webp)
The malware operates through an infection chain beginning with side-loading, potentially involving SMiShing campaigns leading victims to malicious download links.
Once deployed, Herodotus leverages a custom dropper designed to bypass Android 13+ restrictions on Accessibility Services.
After installation, the dropper automatically launches the payload and opens Accessibility Service settings, prompting victims to enable the service while displaying a deceptive loading screen overlay that conceals granting dangerous permissions.
Following successful deployment, Herodotus collects installed application lists and transmits this data to its command-and-control server, which responds with targeted application lists and corresponding overlay links.
The trojan deploys fake credential-harvesting screens over legitimate banking applications, capturing login credentials and two-factor authentication codes through SMS interception.
Humanising Fraudulent Transactions
What sets Herodotus apart is its approach to text input automation during device takeover attacks.
Traditional remote access trojans set text directly in input fields using the ACTION_SET_TEXT function or clipboard manipulation, delivering complete text strings instantaneously.
However, this machine-like behaviour creates suspicious patterns that behavioural anti-fraud systems detect as automated attack indicators.
Herodotus implements a novel technique where operator-specified text is split into individual characters, with each character set separately at randomized intervals.
.webp)
The malware introduces delays ranging from 300 to 3000 milliseconds between character input events, replicating natural human typing patterns.
This randomization attempts to evade rudimentary behavioural detection systems measuring input timing, though sophisticated systems modeling individual behaviour identify anomalies.
The malware panel includes a checkbox labeled “Delayed text” that operators toggle to enable human-like input simulation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
