Herodotus: The Android Trojan That Mimics Human Behavior to Evade Detection
Article Text:
Cybersecurity experts have recently identified a sophisticated Android banking Trojan named Herodotus, actively targeting users in Italy and Brazil through device takeover (DTO) attacks. This malware distinguishes itself by emulating human-like behavior to circumvent behavioral biometric detection systems.
First advertised on underground forums on September 7, 2025, Herodotus operates under a malware-as-a-service (MaaS) model, compatible with Android versions 9 through 16. While not a direct successor to the Brokewell banking malware, Herodotus incorporates similar obfuscation techniques and even references Brokewell within its codebase, such as the identifier BRKWL_JAVA.
The Trojan primarily exploits Android’s accessibility services to achieve its objectives. It is disseminated via dropper applications that masquerade as legitimate apps like Google Chrome (using the package name com.cd3.app), often delivered through SMS phishing campaigns or other social engineering tactics. Once installed, Herodotus leverages accessibility features to interact with the device’s screen, display opaque overlay screens to conceal malicious activities, and steal credentials by presenting fake login screens over legitimate financial applications.
Beyond credential theft, Herodotus possesses capabilities to intercept two-factor authentication (2FA) codes sent via SMS, monitor all on-screen content, grant itself additional permissions, capture lock screen PINs or patterns, and install remote APK files.
A notable feature of Herodotus is its ability to mimic human behavior to evade detection mechanisms that rely on timing analysis. The malware introduces random delays ranging from 300 to 3,000 milliseconds (0.3 to 3 seconds) when performing remote actions like typing text. This randomization aligns with typical human typing patterns, making it challenging for behavior-based anti-fraud systems to identify the activity as machine-generated.
ThreatFabric, the Dutch security firm that analyzed Herodotus, also discovered overlay pages used by the Trojan targeting financial institutions in the United States, Turkey, the United Kingdom, and Poland, as well as cryptocurrency wallets and exchanges. This indicates that the operators behind Herodotus are actively expanding their reach.
The malware is under continuous development, incorporating techniques previously associated with the Brokewell banking Trojan. It appears specifically designed to maintain persistence within active sessions, focusing on account takeovers rather than merely stealing static credentials.
