Android users in Italy (and in Brazil) have a new cyber enemy to watch out for: Herodotusa banking malware capable of taking full control of infected devices and stealing money from online accounts. This trojan, developed by an author known as K1R0 and discovered by the experts of ThreatFabricstands out for its ability to imitate human behavior during remote control sessions, making more difficult to detect by anti-fraud systems. The spread occurs via deceptive SMS messages that invite users to install a seemingly legitimate app; in Italy, the malware masqueraded as “Safe Bank”. Once installed, Herodotus uses Android Accessibility Services to read screen contents and overlay fake screenshots over legitimate banking apps, thus collecting temporary credentials and passcodes with which to bypass two-factor authentication.
What makes it particularly insidious is the randomization of typing times during data entrysimulating the pressing of individual keys, just as a real person would do with pauses from 0.3 to 3 seconds. This measure reduces the probability that anti-fraud systems based on behavioral analysis will recognize the activity as automated and, therefore, potentially illegitimate. The malware communicates with command servers via protocol MQTT and can be distributed as Malware-as-a-Servicei.e. as a service that can be rented by other cybercriminals, which extends the malware’s range of action. To protect yourself, it is essential to avoid installing apps from unofficial sources, not opening suspicious links received via SMS and keeping your Android system updated along with reliable security tools.
How Herodotus banking malware works and what you risk
Going deeper into the matter, we can see how Herodotus operates following the pattern of modern Android banking Trojans and takes control of the infected device through accessibility features, allowing the remote operator to perform on-screen actions such as clicking items, scrolling pages or entering text. When the victim opens the banking app, Herodotus overlays a fake screen that replicates the real interfacetricking the user into providing credentials and temporary codes. The malware also intercepts incoming SMSto acquire temporary codes related to two-factor authentication, and record what appears on the screen.
The distinctive aspect of Herodotus is the way in which “humanizes” data entry: Instead of pasting all the information into a field at once, it simulates typing character by character at random intervals, trying to confuse anti-fraud systems that monitor speed and sequences of keyboard inputs. This technique increases the chances of successful thefts, while remaining recognizable by advanced behavioral analysis tools. Herodotus can also show semi-transparent overlays over infected apps to hide fraudulent operations from the victim, protecting the remote operator from possible user intervention.
The distribution of Herodotus occurs via smishing, i.e SMS with malicious links leading to a “dropper”software that downloads and installs actual malware. This dropper, written by the same developer, is designed to bypass the restrictions of Android 13+ and to guide the victim in enabling the accessibility service necessary for the Trojan to function.
Herodotus also integrates technical solutions already known in Brokewell banking malware, such as the encryption of strings stored in native code and decrypted at runtime, making it more difficult to detect and analyze malware. While it shares some similarities with Brokewell malware, cyber experts at ThreatFabricwho discovered Herodotus, explained in their report:
(Herodotus) is under active development, borrows techniques long associated with the Brokewell banking trojan, and appears to have been specifically designed to persist within live sessions rather than simply stealing static credentials and focus on Account Takeover. One distinctive capability, randomizing time intervals between text inputs, likely aims to mimic human behavior accurately enough to bypass bot and automation detectionsession heuristics and some behavioral biometrics.
How to defend yourself from Herodotus banking malware
Given the danger of this new cyber threat, it is essential to pay maximum attention to some simple, and at the same time effective, defense strategiessuch as those listed below:
- Do not install applications from unofficial sources by going to limit downloads to the Google Play Store.
- Do not open suspicious links received via SMSthrough instant messaginggo e-mailetc.
- Pay attention to install system updates promptlyas well as the updates available for the apps installed on the device and the security software in use, thus reducing the attack surface and the possibility of infections from sophisticated malware such as Herodotus.
