Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover (DTO) attacks.
“Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection,” ThreatFabric said in a report shared with The Hacker News.
The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16.
It’s assessed that while the malware is not a direct evolution of another banking malware known as Brokewell, it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., “BRKWL_JAVA”).
Herodotus is also the latest in a long list of Android malware to abuse accessibility services to realize its goals. Distributed via dropper apps masquerading as Google Chrome (package name “com.cd3.app”) through SMS phishing or other social engineering ploys, the malicious program leverages the accessibility feature to interact with the screen, serve opaque overlay screens to hide malicious activity, and conduct credential theft by displaying bogus login screens atop financial apps.
Additionally, it can also steal two-factor authentication (2FA) codes sent via SMS, intercept everything that’s displayed on the screen, grant itself extra permissions as required, grab the lockscreen PIN or pattern, and install remote APK files.
But where the new malware stands out is in its ability to humanize fraud and evade timing-based detections. Specifically, this includes an option to introduce random delays when initiating remote actions such as typing text on the device. This, ThreatFabric said, is an attempt by the threat actors to make it seem like the input is being entered by an actual user.
“The delay specified is in the range of 300 – 3000 milliseconds (0,3 – 3 seconds),” it explained. “Such a randomization of delay between text input events does align with how a user would input text. By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input.”
ThreatFabric said it also obtained overlay pages used by Herodotus targeting financial organisations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges, indicating that the operators are attempting to actively expand their horizons.
“It is under active development, borrows techniques long associated with the Brokewell banking Trojan, and appears purpose-built to persist inside live sessions rather than simply steal…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
