Rita El Khoury / Android Authority
TL;DR
- A new Android banking Trojan called Herodotus mimics human behaviour, such as random keystroke delays, to evade detection tools.
- The malware employs device-takeover tactics, including the abuse of accessibility services, overlay attacks, and SMS interception.
- Fraud and security systems that rely only on input rhythm or speed may struggle to catch Herodotus, making deeper device-environment monitoring vital.
Researchers at cybersecurity firm ThreatFabric have identified a new Android banking trojan, dubbed Herodotus, that takes deception a step further by mimicking human behavior during remote-control sessions to avoid detection. The malware can intercept SMS messages to capture 2FA codes, deploy overlay pages to steal login credentials, and abuse accessibility services to log on-screen activity. Attackers can then use this access to navigate banking apps and initiate fraudulent transactions.
Don’t want to miss the best from Android Authority?
Herodotus is already being spread through known Android malware channels and is built to take over a victim’s device. It employs common banking-trojan tactics, such as fake login screens, SMS interception, and abusive accessibility permissions, but introduces a new twist by attempting to mimic genuine user actions to remain undetected.
According to ThreatFabric (via The Record), the malware’s operators use delays of 0.3-3 seconds between individual keystrokes and mimic swipes or taps, making the automated session appear more like human interaction and less like a bot.
Campaigns linked to Herodotus have been spotted in Italy (where the malware masqueraded as an app called Banca Sicura) and in Brazil (posing as Modulo Seguranca Stone).
Once the malware gains a foothold via a side-loaded dropper or SMiShing link, it asks victims to enable accessibility services, then runs an overlay to hide its activities while carrying out credential harvesting or money transfers. The malware even reports installed apps to a command-and-control server, so attackers know exactly when a target opens a banking or wallet app and can then trigger the fake interface.
What sets Herodotus apart from most Android Trojans is this layering of human-style input behaviour atop device takeover. While older Trojans often pasted text or clicked elements at machine speed, which made them easier to flag, Herodotus introduces random delays between inputs, making behavioural-biometrics systems less likely to pick it up. As such, ThreatFabric warns that fraud controls that focus solely on typing speed or input cadence may now find themselves out-matched.
Although the malware is currently in an early stage and its developers are already marketing it as Malware-as-a-Service (MaaS), the implications are serious for banks, wallet apps, and users alike. Fraud teams are being advised to go beyond simple behavioural flags and monitor deeper device-environment indicators.
Thank you for being part of our community. Read our Comment Policy before posting.
By
