Security researchers have uncovered a new Android banking trojan, named Herodotus, which is being used in active campaigns targeting users in Italy and Brazil. The malware aims for device takeover, or DTO, and stands out because it deliberately mimics human typing patterns to evade timing-based, behaviour-only anti-fraud systems.
What Herodotus is, and where it came from
Herodotus was first promoted on underground forums on September 7, 2025, as a malware-as-a-service offering that supports Android versions 9 through 16. While it is not a direct successor to the Brokewell banking trojan, Herodotus borrows several techniques from older strains, including similar obfuscation methods, and contains references such as BRKWL_JAVA in its code.
How the malware works, technical highlights
The operators distribute Herodotus using dropper apps that impersonate legitimate apps, for example, a fake Google Chrome package named com.cd3.app. These droppers are pushed via SMS phishing and social engineering, and once installed, they request a set of high-risk permissions, including the ability to install additional APKs without using the Google Play Store.
Key capabilities include, but are not limited to, the following,
- abusing Android accessibility services to interact with the screen,
- deploying opaque overlay pages to present fake login screens over real banking apps,
- intercepting and exfiltrating screen content, SMS messages, and two-factor authentication codes,
- extracting lockscreen PINs or patterns, and installing remote payloads,
- granting themselves elevated permissions needed to persist and act inside live sessions.
The human-like typing trick, and why it matters
Herodotus introduces randomized delays between simulated keystrokes, ranging from 300 to 3000 milliseconds (0.3 to 3 seconds). This timing randomization imitates how a real user types, reducing the likelihood that behaviour-only anti-fraud systems will flag the input as automated. By adding these human-like pauses, threat actors try to blend malicious actions into normal user behaviour, making detection significantly harder for defenses that rely on input timing and rhythm.
Broader targeting and ongoing development
Threat actors behind Herodotus appear to be expanding targets beyond Italy and Brazil. Researchers recovered overlay templates aimed at financial organisations in the United States, Turkey, the United Kingdom, and Poland, and also at cryptocurrency wallets and exchanges. The malware is under active development, and its operators appear focused on maintaining persistence during live sessions, rather than limiting themselves to stealing static credentials.
Related threats, context from recent activity
Other Android threats continue to evolve, for example, GhostGrab, which combines credential harvesting with covert Monero mining, representing a dual-revenue model for attackers. Like Herodotus, GhostGrab abuses permissions and social engineering to infiltrate devices, illustrating a broader trend, where mobile malware mixes financial theft with additional monetization techniques.
Risks to users and organisations
Herodotus poses several risks, including,
- account takeover, via stolen credentials and intercepted OTPs,
- fraud and unauthorised transactions, including on banking and crypto accounts,
- identity theft, through collection of personal data and forged WebView KYC forms,
- persistent device compromise, due to aggressive permission escalation and remote APK installs.
Practical mitigation recommendations, for individuals and defenders
For individuals, consider these steps,
- avoid opening SMS links from unknown senders, verify links directly with the institution,
- install apps only from trusted stores, and scrutinise permissions that request package installation rights,
- disable unnecessary accessibility permissions, and review apps that have those permissions enabled,
- enable device-level protections, such as Play Protect, and use strong, unique passwords with hardware security keys where available.
For organisations and security teams, consider the following,
- incorporate multi-factor signals, beyond behaviour-only timing, for fraud detection, (for example, device posture, geolocation, and session consistency),
- monitor for overlay and WebView abuse indicators, and instrument apps to detect foreground overlays,
- educate customers about phishing droppers masquerading as legitimate apps, and provide clear guidance on safe app installation practices,
- apply runtime protections, hardening, and tamper detection within mobile apps to reduce the effectiveness of automated overlays.
