Disclaimer: We may earn a commission if you make any purchase by clicking our links. Please see our detailed guide here.
Follow us on:
Table of Contents
A new Android banking trojan named Herodotus has emerged that deliberately mimics human interaction patterns to slip past behavior-based detection systems. Security researchers at ThreatFabric and multiple reporting outlets describe Herodotus as a malware-as-a-service platform.
The operators of this malware are already deploying it in targeted smishing campaigns against users in Italy and Brazil. The malware is notable not just for classic mobile fraud techniques but for introducing timing and input randomness intended to defeat rhythm- and timing-based anti-fraud checks.
Herodotus combines several well-known device takeover (DTO) tactics with a novel focus on human-like input simulation. Attackers deliver the initial payload through SMS phishing links that install a custom dropper. That dropper exploits the Accessibility service workflow to obtain elevated control, using overlay screens to hide the permission-granting steps while the user thinks a benign loading screen is displayed. Once installed, the trojan can intercept SMS messages to capture one-time passwords, deploy overlay pages to harvest credentials, and remotely control apps to initiate fraudulent bank transfers.
What differentiates Herodotus from many predecessors is its random delay injection within input routines. Rather than sending rapid, predictable automated keystrokes, the malware injects variable pauses and typing patterns that mimic human hesitations and rhythms. This undermines detection rules and anti-fraud heuristics that assume bots type uniformly fast or follow mechanical timing patterns.
Anti-fraud and behavioral biometrics systems often flag anomalous input characteristics, such as consistent inter-keystroke intervals, unnaturally fast navigation, or repetitive timing patterns. By introducing stochastic delays and more organic input traces, Herodotus reduces the signal that these systems rely on to classify sessions as automated or fraudulent.
In practice, this means that a remote attacker controlling a compromised phone may appear to be the legitimate human owner, typing and navigating the device, making transactions and authentication flows appear legitimate to both banks and device-monitoring tools.
Beyond defeating timing checks, the malware’s combined use of SMS interception and overlay attacks means attackers can both obtain 2FA codes and show victims convincing fake interfaces to capture credentials. The Accessibility abuse ensures broad control, even on recent Android versions, including devices running Android 13 and later, by guiding users through permission acceptance and then completing sensitive actions in the background.
Current campaigns attributed to Herodotus focus on Italy and Brazil, regions where observers have seen active smishing distribution and successful device-takeover incidents. Threat actors are marketing Herodotus through a MaaS model, enabling a spread of financially motivated groups that may not themselves possess deep development skills. The MaaS structure speeds adoption and iteration, increasing the urgency for financial institutions and mobile security vendors to adapt detection strategies.
Defending against Herodotus requires a layered approach that moves beyond simple timing heuristics. Security teams should consider combining these measures:
Herodotus illustrates a concerning trend: adversaries are increasingly engineering malware to imitate legitimate human behavior rather than just automating attacks. That shift complicates detection but also creates an opportunity for defenders to evolve.
By fusing behavioral biometrics with richer contextual telemetry and stronger permission controls, institutions can restore discriminatory power even against malware that deliberately “acts human.” The rapid spread of Herodotus’s MaaS underscores the need for coordinated defensive updates across vendors and banks, as well as user awareness campaigns, to limit the Trojan’s impact.
The Latest
Partner With Us
Digital advertising offers a way for your business to reach out and make much-needed connections with your audience in a meaningful way. Advertising on Techgenyz will help you build brand awareness, increase website traffic, generate qualified leads, and grow your business.
Recommended
Proudly made with ❤️ in India
© Copyright
All Rights Reserved.

source