Oct 28, 2025Ravie LakshmananMalware / Cell Safety
Cybersecurity researchers have disclosed particulars of a brand new Android banking trojan referred to as Herodotus that has been noticed in lively campaigns concentrating on Italy and Brazil to conduct gadget takeover (DTO) assaults.
“Herodotus is designed to carry out gadget takeover whereas making first makes an attempt to imitate human behaviour and bypass behaviour biometrics detection,” ThreatFabric stated in a report shared with The Hacker Information.
The Dutch safety firm stated the Trojan was first marketed in underground boards on September 7, 2025, as a part of the malware-as-a-service (MaaS) mannequin, touting its skill to run on units operating Android model 9 to 16.
It is assessed that whereas the malware will not be a direct evolution of one other banking malware often called Brokewell, it actually seems to have taken sure elements of it to place collectively the brand new pressure. This consists of similarities within the obfuscation method used, in addition to direct mentions of Brokewell in Herodotus (e.g., “BRKWL_JAVA”).
Herodotus can also be the most recent in an extended checklist of Android malware to abuse accessibility companies to understand its objectives. Distributed by way of dropper apps masquerading as Google Chrome (bundle identify “com.cd3.app”) by SMS phishing or different social engineering ploys, the bug leverages the accessibility function to work together with the display, serve opaque overlay screens to cover malicious exercise, and conduct credential theft by displaying bogus login screens atop monetary apps.
Moreover, it may possibly additionally steal two-factor authentication (2FA) codes despatched by way of SMS, intercept every part that is displayed on the display, grant itself additional permissions as required, seize the lockscreen PIN or sample, and set up distant APK recordsdata.
However the place the brand new malware stands out is in its skill to humanize fraud and evade timing-based detections. Particularly, this consists of an choice to introduce random delays when initiating distant actions akin to typing textual content on the gadget. This, ThreatFabric stated, is an try by the menace actors to make it look like the enter is being entered by an precise consumer.
“The delay specified is within the vary of 300 – 3000 milliseconds (0,3 – 3 seconds),” it defined. “Such a randomization of delay between textual content enter occasions does align with how a consumer would enter textual content. By consciously delaying the enter by random intervals, actors are seemingly attempting to keep away from being detected by behaviour-only anti-fraud options recognizing machine-like velocity of textual content enter.”
ThreatFabric stated it additionally obtained overlay pages utilized by Herodotus concentrating on monetary organisations within the U.S., Turkey, the U.Okay., and Poland, together with cryptocurrency wallets and exchanges, indicating that the operators try to actively increase their horizons.
“It’s below lively improvement, borrows strategies lengthy related to the Brokewell banking Trojan, and seems purpose-built to persist inside reside periods relatively than merely steal static credentials and give attention to account takeover,” the corporate famous.
