Affiliate links on Android Authority may earn us a commission. Learn more.
October 29, 2025
Update, October 29, 2025 (11:03 AM ET): Google has reached out to Android Authority concerning this report, and a spokesperson shares a comment:
Original article, October 29, 2025 (08:52 AM ET):Â Researchers at cybersecurity firm ThreatFabric have identified a new Android banking trojan, dubbed Herodotus, that takes deception a step further by mimicking human behavior during remote-control sessions to avoid detection. The malware can intercept SMS messages to capture 2FA codes, deploy overlay pages to steal login credentials, and abuse accessibility services to log on-screen activity. Attackers can then use this access to navigate banking apps and initiate fraudulent transactions.
Don’t want to miss the best from Android Authority?
Herodotus is already being spread through known Android malware channels and is built to take over a victim’s device. It employs common banking-trojan tactics, such as fake login screens, SMS interception, and abusive accessibility permissions, but introduces a new twist by attempting to mimic genuine user actions to remain undetected.
According to ThreatFabric (via The Record), the malware’s operators use delays of 0.3-3 seconds between individual keystrokes and mimic swipes or taps, making the automated session appear more like human interaction and less like a bot.
Campaigns linked to Herodotus have been spotted in Italy (where the malware masqueraded as an app called Banca Sicura) and in Brazil (posing as Modulo Seguranca Stone).
Once the malware gains a foothold via a side-loaded dropper or SMiShing link, it asks victims to enable accessibility services, then runs an overlay to hide its activities while carrying out credential harvesting or money transfers. The malware even reports installed apps to a command-and-control server, so attackers know exactly when a target opens a banking or wallet app and can then trigger the fake interface.
What sets Herodotus apart from most Android Trojans is this layering of human-style input behavior atop device takeover. While older Trojans often pasted text or clicked elements at machine speed, which made them easier to flag, Herodotus introduces random delays between inputs, making behavioral-biometrics systems less likely to pick it up. As such, ThreatFabric warns that fraud controls that focus solely on typing speed or input cadence may now find themselves out-matched.
Although the malware is currently in an early stage and its developers are already marketing it as Malware-as-a-Service (MaaS), the implications are serious for banks, wallet apps, and users alike. Fraud teams are being advised to go beyond simple behavioral flags and monitor deeper device-environment indicators.
For most people, the takeaway is straightforward: Avoid installing apps from outside the Play Store, don’t tap on suspicious links, and keep your phone’s security features turned on. You can also periodically scan your Android phone for malware using Google Play Protect to be extra safe.
Thank you for being part of our community. Read our Comment Policy before posting.