New Android Trojan ‘Herodotus’: Mimicking Human Behavior to Evade Fraud Detection Systems

| Editorial Team
7

New Android Trojan 'Herodotus' Mimics Human Typing to Bypass Anti-Fraud Systems

Cybersecurity researchers have discovered a sophisticated Android banking trojan named "Herodotus" that evades detection by mimicking human typing patterns, actively targeting financial institutions in Italy and Brazil through device takeover attacks.

The malware, first advertised on underground forums in September 2025, operates under a malware-as-a-service (MaaS) model and works on Android versions 9 through 16. ThreatFabric researchers, who disclosed the findings, note that Herodotus appears to borrow techniques from the Brokewell banking trojan while introducing advanced evasion methods designed to defeat behavioral biometrics systems.

Sophisticated human-like behavior to evade detection

Herodotus stands apart from other Android malware through its deliberate attempt to humanize fraudulent activities. When remotely controlling infected devices, the trojan introduces random delays between 300-3000 milliseconds when typing text, closely mimicking natural human input patterns.

"By consciously delaying the input by random intervals, actors are likely trying to avoid being detected by behaviour-only anti-fraud solutions spotting machine-like speed of text input," ThreatFabric explained in their report shared with The Hacker News.

This behavioral mimicry represents a concerning evolution in malware design, as traditional anti-fraud systems often rely on identifying non-human interaction patterns to flag suspicious activities. By replicating natural typing rhythms, Herodotus can potentially remain undetected during active fraud sessions.

The trojan spreads through dropper applications disguised as Google Chrome (using the package name "com.cd3.app"), typically delivered via SMS phishing or other social engineering tactics. Once installed, it exploits Android's accessibility services to interact with the screen, display fake overlay screens on top of legitimate banking apps, and steal credentials.

Beyond basic credential theft, Herodotus possesses an extensive arsenal of capabilities:

  • Intercepting two-factor authentication codes sent via SMS
  • Capturing everything displayed on the screen
  • Granting itself additional permissions as needed
  • Stealing lock screen PINs or patterns
  • Installing remote APK files

According to ThreatFabric, while the campaign initially focused on Italy and Brazil, the researchers discovered overlay pages targeting financial organizations in the United States, Turkey, the United Kingdom, and Poland, along with cryptocurrency wallets and exchanges. This suggests the operators are actively expanding their operations globally.

This banking trojan represents one of the most sophisticated banking malware variants currently circulating in the cybercrime ecosystem, demonstrating how threat actors continue to evolve their tactics.

The discovery of Herodotus coincides with CYFIRMA's report on another sophisticated Android threat called GhostGrab that targets users in India. This malware creates a "dual-revenue stream" for attackers by harvesting banking credentials while simultaneously mining Monero cryptocurrency on infected devices.

GhostGrab impersonates financial applications and requests high-risk permissions to enable call forwarding, steal SMS data, and present fake KYC forms that collect sensitive personal information including card details, ATM PINs, and government ID numbers.

"GhostGrab functions as a hybrid threat, combining covert cryptocurrency mining operations with comprehensive data exfiltration capabilities," CYFIRMA stated in their analysis.

These emerging threats highlight the growing sophistication of mobile malware, particularly those targeting financial institutions and their customers. The ability to mimic human behavior and create multiple revenue streams demonstrates how threat actors continue to refine their techniques to maximize profits while evading detection.

Technical evolution of banking trojans

Banking trojans have significantly evolved from simple credential stealers to complex, multi-layered threats. Modern variants like Herodotus incorporate advanced evasion techniques, including:

  • Behavioral mimicry: Simulating human-like interactions to bypass biometric security
  • Anti-analysis features: Detecting when they're being examined in security sandboxes
  • Modular architecture: Loading additional malicious components only when needed
  • Advanced persistence mechanisms: Ensuring they remain on infected devices

This technical sophistication makes understanding why robust cybersecurity practices are critical for both individuals and organizations, especially when handling financial information online.

Protecting against advanced mobile threats

Google has responded to the Herodotus threat, assuring users that protection measures are in place. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," a Google spokesperson stated. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

Despite these protections, users should follow these security practices:

  • Only download apps from official app stores like Google Play
  • Verify app permissions before installation and be suspicious of apps requesting accessibility services
  • Keep devices updated with the latest security patches
  • Use multi-factor authentication when available
  • Install mobile security solutions from reputable providers

Financial institutions are advised to implement advanced fraud detection systems that can identify sophisticated behavioral mimicry and collaborate with cybersecurity firms to stay informed about emerging threats.

For businesses in the financial sector, these developments signal the need for enhanced customer education programs and improved backend security systems capable of detecting account takeover attempts, even when they closely mimic legitimate user behavior.

The emergence of Herodotus and similar malware demonstrates how the cat-and-mouse game between security professionals and malicious actors continues to evolve, with each side developing increasingly sophisticated tools and techniques.

Organizations should consider implementing layered defense strategies that go beyond traditional security measures. This includes:

  1. Behavioral analysis systems that can detect subtle anomalies in user interaction patterns
  2. Continuous authentication mechanisms that verify identity throughout a session, not just at login
  3. Real-time fraud monitoring with machine learning capabilities to identify emerging attack patterns

Individuals should regularly review their bank statements for unauthorized transactions and consider using dedicated anti-malware solutions designed to combat sophisticated threats on their mobile devices.

According to the CISA's mobile security guidelines, maintaining separate devices for sensitive financial transactions can provide an additional layer of protection against these advanced banking trojans.

Editorial Team
You might also like

What is PayPal & How does it work?

The Link between Employee Retention and Exit Management Platforms

10 Dropshipping Tips that will drive sales growth

The Growing Threat of Mobile Malware Attacks: How to Protect Your Mobile Devices

SD WAN Security: Your Guide to Understanding SD WAN Security Essentials

Security Models Demystified: Exploring Different Security Models