A newly identified strain of Android malware, named Herodotus, poses a significant threat by stealing user credentials and compromising security. This malware not only logs keystrokes and streams victims” screens, but it also hijacks user input. What sets Herodotus apart is its ability to mimic human typing patterns by introducing random delays between keystrokes, making it difficult for fraud detection systems to identify malicious activity.
According to researchers from the Dutch firm ThreatFabric, this trojan incorporates elements from an existing banking malware known as Brokewell, alongside its original components. The malware has been linked to device takeover attacks in countries such as Italy and Brazil. Although there have been no reports of Herodotus being utilized in other ongoing campaigns, the threat hunters have uncovered overlay pages that replicate legitimate banking and cryptocurrency applications used in regions including the United States, the United Kingdom, Turkey, and Poland.
These fraudulent screens appear on top of genuine login interfaces when users access banking applications, enabling the criminals to capture sensitive credentials and financial information. The individual behind Herodotus, who operates under the alias “K1R0” on underground criminal forums, began offering the malware as a service starting September 7. The researchers have warned that as the malware remains under active development, its use in global campaigns is likely to increase.
Herodotus infects devices primarily through side-loading techniques, often initiated via SMS phishing messages containing malicious links that deliver the malware dropper. This dropper, also crafted by K1R0, has only been observed distributing Herodotus. Upon installation, it prompts the victim to enable accessibility services on their Android device, granting the attacker control to read, click, and swipe the device”s screen.
Once operational, Herodotus behaves similarly to other trojans, gathering information about installed applications and sending it to a command-and-control server, where it awaits instructions on which apps to target with credential-stealing overlays. Additionally, it records keystrokes, intercepts messages to capture one-time passwords, and extracts users” security PINs and fingerprints.
The unique feature of Herodotus is its sophisticated mimicry of human typing behavior during remote control sessions. According to the researchers, “In order to make the input look like it is typed in by an actual user, the text specified by the operator is split into characters, and they are separately set with random delays from each other.” These delays can range from 300 to 3,000 milliseconds, closely resembling human typing speed rather than mechanical input, thereby helping the malware evade detection by behavioral analysis tools.
As of now, Herodotus operates from the domain google-firebasedigital, utilizing seven subdomains. Some of these are associated with the developer and were used for testing purposes, while others are likely employed by different cybercriminals targeting specific regions. In Italy, the malware masqueraded as the application “Banca Sicura,” while in Brazil, it targeted users under the name “Modulo Seguranca Stone.”
