Android users in Italy (and Brazil) have a new cyber enemy to watch out for: Herodotus, a banking malware capable of taking full control of infected devices and stealing money from online accounts. This trojan, developed by an author known as K1R0 and discovered by experts at ThreatFabricstands out for its ability to imitate human behavior during remote control sessions, making it more difficult for anti-fraud systems to detect. The spread occurs via deceptive SMS messages that invite users to install a seemingly legitimate app; in Italy, the malware masqueraded as “Banca Sicura”. Once installed, Herodotus uses Android Accessibility Services to read screen contents and overlay fake screenshots over legitimate banking apps, thus collecting temporary credentials and passcodes with which to bypass two-factor authentication.
What makes it particularly insidious is the randomization of typing times during data entry, simulating the pressing of individual keys, just as a real person would do with pauses of 0.3 to 3 seconds. This measure reduces the probability that anti-fraud systems based on behavioral analysis will recognize the activity as automated and, therefore, potentially illegitimate. The malware communicates with command servers via the MQTT protocol and can be distributed as Malware-as-a-Service, i.e. as a service that can be rented by other cyber criminals, which extends the malware’s range of action. To protect yourself, it is essential to avoid installing apps from unofficial sources, not opening suspicious links received via SMS and keeping your Android system updated along with reliable security tools.
How Herodotus banking malware works and what you risk
Going deeper into the matter, we can see how Herodotus operates following the pattern of modern Android banking trojans and takes control of the infected device through accessibility features, allowing the remote operator to perform actions on the screen such as clicking elements, scrolling pages or inserting text. When the victim opens the banking app, Herodotus overlays a fake screen that replicates the real interface, tricking the user into providing temporary credentials and codes. The malware also intercepts incoming SMS messages to acquire temporary two-factor authentication codes and records what appears on the screen.
The distinctive aspect of Herodotus is the way in which it “humanizes” data entry: instead of pasting all the information into a field at the same time, it simulates typing character by character at random intervals, trying to confuse anti-fraud systems that monitor the speed and sequences of keyboard inputs. This technique increases the chances of successful thefts, while remaining recognizable by advanced behavioral analysis tools. Herodotus can also display semi-transparent overlays over infected apps to hide fraudulent operations from the victim, protecting the remote operator from possible user intervention.
Herodotus is distributed via smishing, i.e. SMS with malicious links that lead to a “dropper”, software that downloads and installs the actual malware. This dropper, written by the same developer, is designed to bypass the restrictions of Android 13+ and to guide the victim in enabling the accessibility service necessary for the trojan to function.
Herodotus also integrates technical solutions already known in Brokewell banking malware, such as the encryption of strings stored in native code and decrypted at runtime, making the malware more difficult to detect and analyze. While it shares some similarities with Brokewell malware, cyber experts at ThreatFabricwho discovered Herodotus, explained in their report:
(Herodotus) is under active development, borrows techniques long associated with the Brokewell banking trojan, and appears to have been specifically designed to persist within live sessions rather than simply steal static credentials and focus on Account Takeover. One distinctive capability, randomizing time intervals between text inputs, likely aims to mimic human behavior accurately enough to bypass bot and automation detection, session heuristics, and some behavioral biometrics.
How to defend yourself from Herodotus banking malware
Given the danger of this new cyber threat, it is essential to pay maximum attention to some simple, yet effective, defense strategies, such as those listed below:
- Do not install applications from unofficial sources by limiting downloads to the Google Play Store.
- Do not open suspicious links received via SMS, instant messaging, email, etc.
- Be careful to promptly install system updates, as well as available updates for apps installed on your device and security software in use, thus reducing the attack surface and the possibility of infections from sophisticated malware such as Herodotus.
