Cybersecurity researchers have identified a new Android banking trojan, dubbed 'Herodotus,' that employs sophisticated techniques to bypass anti-fraud systems. This malware is designed to perform device takeover (DTO) attacks by mimicking human typing patterns, making it harder for security measures to detect its malicious activities. Initially advertised on underground forums in September 2025, Herodotus is available as a malware-as-a-service (MaaS) and operates on Android versions 9 through 16.

Key Takeaways

• Human-like Input: Herodotus introduces random delays between typing actions, simulating natural human behavior to evade timing-based fraud detection.

• Device Takeover Focus: The trojan aims for comprehensive device control rather than just stealing static credentials.

• Brokewell Influence: It appears to borrow techniques and code elements from the Brokewell banking trojan.

• Accessibility Abuse: Herodotus leverages Android's accessibility services to gain control over the device and steal information.

• Widespread Targeting: While initially observed in Italy and Brazil, overlay attacks suggest expansion to the U.S., Turkey, U.K., and Poland.

Sophisticated Evasion Tactics

Herodotus distinguishes itself through its ability to humanize its fraudulent actions, specifically by introducing random delays ranging from 300 to 3000 milliseconds when performing remote actions like typing text. This deliberate randomization aims to circumvent behavior-based anti-fraud solutions that typically flag the unnaturally rapid input characteristic of automated scripts.

Distribution and Capabilities

The trojan is distributed through dropper applications disguised as Google Chrome. These apps are spread via SMS phishing and other social engineering tactics. Once installed, Herodotus exploits accessibility services to interact with the device's screen. It can display opaque overlay screens to conceal its malicious operations, trick users into revealing login credentials for financial applications, and steal two-factor authentication (2FA) codes sent via SMS. Furthermore, it can capture screen content, acquire necessary permissions, steal lock screen PINs or patterns, and install additional remote APK files.

Expanding Threat Landscape

While Herodotus is not a direct evolution of the Brokewell banking trojan, it exhibits notable similarities in its obfuscation techniques and even includes direct references to Brokewell in its code. Researchers have also uncovered overlay pages used by Herodotus targeting financial institutions and cryptocurrency platforms in various countries, including the U.S., Turkey, the U.K., and Poland. This indicates that the threat actors behind Herodotus are actively working to broaden their operational scope and target a wider range of financial services.

Sources

• New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human, The Hacker News.