Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New Herodotus Android malware fakes human typing to avoid detection



New Herodotus Android malware fakes human typing to avoid detection, using random delay injection in its input routines to mimic human behavior on mobile devices. This advanced technique evades timing-based detection by security software, making it a significant threat to Android users.

  • Herodotus malware uses advanced techniques to evade detection by security software.
  • The malware mimics human behavior on mobile devices to avoid detection.
  • The malware achieves this by injecting random delays into its input routines.
  • The Herodotus malware has already begun to spread in the wild, targeting Italian and Brazilian users through SMS phishing.
  • The malware provides operators with various features, including control panels and overlays to steal account credentials.
  • Android users are advised to avoid downloading APK files from outside Google Play and revoke risky permissions like Accessibility.



    • Android users are facing a new and sophisticated threat in the form of the Herodotus malware, a recently discovered Android malware family that uses advanced techniques to evade detection by security software. According to Threat Fabric, the creators of the malware-as-a-service (MaaS) platform, which is believed to be linked to the Brokewell malware family, the new Herodotus malware is designed to mimic human behavior on mobile devices in order to avoid detection.

    The malware achieves this by injecting random delays into its input routines, allowing it to type with a varying speed and cadence that closely resembles human typing. This technique is intended to evade timing-based detection by security software, which often relies on identifying unusual patterns of behavior in order to detect malware.

    Threat Fabric reports that the Herodotus malware has already begun to spread in the wild, with several threat actors detected using distinct subdomains to deploy it against Italian and Brazilian users through SMS phishing (smishing) text messages. The malicious SMS contains a link to a custom dropper that installs the primary payload and attempts to bypass Accessibility permission restrictions present in Android 13 and later.

    Upon installation, the malware opens the Accessibility settings on the user's device and prompts them to enable the service. Once granted access, Herodotus can interact with the Android user interface, tapping at specific screen coordinates, swiping, going back, and entering text (clipboard paste or keyboard typing). The malware even includes a 'humanizer' mechanism that causes it to type with random delays of 0.3 to 3 seconds, mimicking human typing and evading detection.

    Threat Fabric notes that the use of delays in Android malware is typically used to allow app UI to respond to inputs before moving to the next action. However, Herodotus' randomized delays are a novel take on this technique, likely implemented to evade behavioral detection systems.

    Apart from its evasion techniques, Herodotus provides operators with a range of features, including:

    * Control panel with options for custom SMS text
    * Overlay pages mimicking banking and crypto apps to steal account credentials
    * Opaque overlays that hide fraud from the victim
    * SMS stealer for two-factor authentication code interception
    * Capturing screen content

    Threat Fabric reports that Herodotus is being spread by several threat actors, based on the detection of seven distinct subdomains. This indicates that the malware has already begun to gain traction in the wild.

    To mitigate this risk, Android users are advised to avoid downloading APK files from outside Google Play unless they explicitly trust the publisher and ensure Play Protect is active on their device. Even with these precautions, it is essential to scrutinize and revoke risky permissions, such as Accessibility, for newly installed apps.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Herodotus-Android-malware-fakes-human-typing-to-avoid-detection-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-herodotus-android-malware-fakes-human-typing-to-avoid-detection/

  • https://thehackernews.com/2024/04/new-brokewell-android-malware-spread.html

  • https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Tue Oct 28 08:59:32 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us