Herodotus: A New Android Banking Trojan Mimicking Human Behavior to Evade Detection

Cybersecurity researchers have uncovered a sophisticated new Android banking trojan known as Herodotus, actively targeting users in Italy and Brazil with device takeover (DTO) attacks. The malware, first analyzed by Dutch security firm ThreatFabric, demonstrates an evolving trend in mobile cybercrime—using artificial mimicry of human behavior to bypass biometric and behavioral security systems.

Discovery and Distribution

Herodotus first surfaced on underground forums on September 7, 2025, where it was marketed under the malware-as-a-service (MaaS) model. This approach enables less technically skilled criminals to rent the malware and deploy it at scale. The trojan is compatible with Android versions 9 through 16, expanding its reach across both older and newer devices.

The malware is typically distributed via malicious dropper apps disguised as legitimate applications—most notably as Google Chrome (package name com.cd3.app). Victims are lured into installing these apps through SMS phishing or social engineering, after which Herodotus silently activates and gains system-level privileges through Android accessibility service abuse.

Technical Capabilities

Once installed, Herodotus exploits accessibility permissions to take full control of the infected device. Its functions include:

• Overlay Attacks: Displaying fake login screens over legitimate banking or cryptocurrency apps to steal credentials.

• 2FA Interception: Capturing SMS-based two-factor authentication codes.

• Screen Hijacking: Recording all on-screen activity and content.

• Privilege Escalation: Automatically granting itself additional permissions.

• Lockscreen Capture: Extracting device PINs or unlock patterns.

• Remote Installation: Downloading and executing malicious APK files.

These features enable attackers to perform real-time device takeovers, facilitating fraudulent transactions and unauthorized account access without alerting users.

Mimicking Human Behavior

Herodotus’s most innovative feature lies in its human-like interaction simulation. To avoid detection by behavioral biometrics systems, the malware introduces randomized delays—ranging from 300 to 3,000 milliseconds—between actions such as keystrokes or screen taps. This mimics genuine human typing patterns, effectively defeating anti-fraud tools that flag robotic or automated input speeds.

ThreatFabric researchers describe this as a major step forward in the evolution of Android-based financial malware, noting that such techniques allow Herodotus to appear indistinguishable from legitimate user activity.

Global Expansion and Future Risks

While initial attacks have focused on Italy and Brazil, Herodotus’s operators have also developed overlay templates targeting financial institutions in the United States, Turkey, the United Kingdom, and Poland, as well as cryptocurrency wallets and exchanges. This indicates a rapid expansion beyond its initial geographic focus.

ThreatFabric concludes that Herodotus is actively evolving and appears purpose-built for persistence within live banking sessions, marking a shift from traditional data theft toward sustained, interactive financial fraud.

Key Takeaway

Herodotus exemplifies a new generation of mobile banking malware that fuses social engineering, automation, and behavioral mimicry to bypass conventional defenses. Users and organizations alike should enforce stricter app verification policies, implement multi-layered fraud detection, and monitor for anomalous accessibility activity on Android devices.