Ethical Hacking News
A new Android banking Trojan called Herodotus has been discovered, boasting advanced capabilities that allow it to evade anti-fraud systems by mimicking human behavior. This novel approach highlights the ongoing evolution in malware tactics and underscores the need for security experts to stay vigilant and adapt their defenses accordingly.
The new Android banking trojan called Herodotus was recently discovered by ThreatFabric. Herodotus is designed to perform device takeover (DTO) attacks and mimic human behavior to bypass biometric detection. The malware is part of the malware-as-a-service (MaaS) model and can run on Android versions 9-16. Herodotus leverages accessibility services, obfuscation techniques, and display overlays to conduct credential theft and evade timing-based detections. The malware can also steal 2FA codes, intercept screen content, grant extra permissions, and install remote APK files. The threat actors use social engineering tactics like SMS phishing to distribute the malware. Herodotus is distinguishable from other banking malware due to its humanizing fraud capabilities and ability to evade detection using random delays between text input events.
The cybersecurity landscape has witnessed another nefarious player emerge, as ThreatFabric, a renowned Dutch security company, recently disclosed details of a new Android banking trojan called Herodotus. The discovery of this malware marks a significant development in the ongoing cat-and-mouse game between cybercriminals and security experts. In this article, we will delve into the intricacies of Herodotus and explore its capabilities, as well as the measures being taken to combat it.
Herodotus is designed to perform device takeover (DTO) attacks while making initial attempts to mimic human behavior and bypass behavior biometrics detection. This novel approach sets it apart from other banking malware, such as Brokewell, which has been a benchmark for Android banking trojans in the past. According to ThreatFabric, Herodotus was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16.
The Dutch security company noted that while Herodotus is not a direct evolution of Brokewell, it has taken certain parts of it to put together this new strain. This includes similarities in the obfuscation technique used and direct mentions of Brokewell in Herodotus (e.g., "BRKWL_JAVA"). Furthermore, Herodotus leverages accessibility services to interact with the screen, serve opaque overlay screens to hide malicious activity, and conduct credential theft by displaying bogus login screens atop financial apps.
Moreover, this malware can also steal two-factor authentication (2FA) codes sent via SMS, intercept everything that's displayed on the screen, grant itself extra permissions as required, grab the lockscreen PIN or pattern, and install remote APK files. Herodotus is distributed via dropper apps masquerading as Google Chrome through SMS phishing or other social engineering ploys.
However, what sets this malware apart from its predecessors is its ability to humanize fraud and evade timing-based detections. Specifically, it includes an option to introduce random delays when initiating remote actions such as typing text on the device. This randomization of delay between text input events aligns with how a user would input text, making it seem like the input is being entered by an actual user.
ThreatFabric observed that this randomization of delay allows the threat actors to avoid being detected by behavior-only anti-fraud solutions spotting machine-like speed of text input. This novel approach underscores the ongoing evolution in malware tactics and the need for security experts to stay vigilant and adapt their defenses accordingly.
The company also obtained overlay pages used by Herodotus targeting financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges, indicating that the operators are attempting to actively expand their horizons. It is under active development, borrows techniques long associated with the Brokewell banking Trojan, and appears purpose-built to persist inside live sessions rather than simply steal static credentials and focus on account takeover.
As security experts continue to grapple with this new threat, it is essential to understand its implications and how to mitigate them. The emergence of Herodotus highlights the ongoing struggle between cybersecurity professionals and malicious actors. As we move forward, it is crucial to stay informed about emerging threats and develop effective strategies to combat them.
The discovery of Herodotus serves as a reminder that the threat landscape continues to evolve, and security experts must remain proactive in their efforts to stay ahead of malicious actors. By staying vigilant and adapting our defenses accordingly, we can better protect ourselves against this evolving threat.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Banking-Trojan-Herodotus-Outsmarts-Anti-Fraud-Systems-by-Typing-Like-a-Human-ehn.shtml
https://thehackernews.com/2025/10/new-android-trojan-herodotus-outsmarts.html
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://www.threatfabric.com/blogs/threatfabric-uncovers-cyber-espionage-linked-to-state-backed-group-misusing-mobile-payment-systems
https://thehackernews.com/2024/04/new-brokewell-android-malware-spread.html
Published: Tue Oct 28 15:27:29 2025 by llama3.2 3B Q4_K_M
