Cybersecurity researchers have revealed details of a new Android banking Trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil carrying out device takeover (DTO) attacks.
“Herodotus is designed to perform device takeover while mimicking human behavior and making initial attempts to evade biometric detection of actions,” ThreatFabric said in a report shared with The Hacker News.
According to the Dutch security firm, the Trojan was first advertised on underground forums on September 7, 2025 as part of a malware-as-a-service (MaaS) model, touting its ability to run on devices running Android versions 9 to 16.
It has been assessed that this malware is not a direct evolution of another banking malware known as Brokewell, but appears to have incorporated parts of it to create a new variant. This includes similarities in the obfuscation techniques used, as well as direct references to Brokewell in Herodotus (such as “BRKWL_JAVA”).
Herodotus is also the latest in a long list of Android malware that exploits accessibility services to achieve its goals. Distributed via a dropper app (package name com.cd3.app) disguised as Google Chrome through SMS phishing and other social engineering tactics, the malicious program takes advantage of accessibility features to manipulate the screen, provide opaque overlay screens to hide malicious activity, and perform credential theft by displaying fake login screens on top of financial apps.
Additionally, it can steal two-factor authentication (2FA) codes sent via SMS, intercept everything you see on your screen, grant itself additional permissions if needed, obtain your lock screen PIN or pattern, and even install remote APK files.
But what sets this new malware apart is its ability to humanize its deception and evade timing-based detection. Specifically, this includes an option to introduce a random delay when starting a remote action, such as entering text on the device. According to ThreatFabric, this is an attempt by threat actors to make the input appear as if it is being entered by a real user.
“The specified delay ranges from 300 to 3000 milliseconds (0.3 to 3 seconds).” “Such randomization of delays between text input events is consistent with how users enter text. By consciously delaying input at random intervals, attackers may be attempting to avoid detection by behavioral-only anti-fraud solutions that discover machine-like speeds of text input.”
ThreatFabric said it also obtained an overlay page used by Herodotus that targets financial institutions in the US, Turkey, UK, and Poland, as well as cryptocurrency wallets and exchanges, indicating that the operator is actively seeking to expand its horizons.
“It is in active development, borrows technology long associated with the Brokewell banking Trojan, and appears to be built to persist within live sessions, rather than simply stealing static credentials and focusing on account takeover,” the company said.
Source link
