New Android trojan tries to act human to steal your money

A newly discovered Android trojan named Herodotus is using human-like behavior to trick banks’ security systems and drain user accounts.

Instead of acting like typical malware that operates at computer speed, Herodotus deliberately imitates people by pausing between keystrokes, varying input timing, and interacting with on-screen elements just slowly enough to seem human.

Researchers say this design allows it to bypass fraud detection systems that rely on behavioral patterns to spot automated attacks.

Tracked by the Dutch cybersecurity firm ThreatFabric, the malware is being sold as a Malware-as-a-Service (MaaS) by an operator using the alias “K1R0.” It targets Android versions 9 through 16 and is designed to let criminals take full control of infected phones.

ThreatFabric said the trojan has been advertised on underground forums and bundled with tools meant to attract financially motivated attackers interested in device takeover campaigns.

Herodotus stands out for focusing on session persistence and behavioral evasion rather than simply stealing login credentials. Like many modern banking trojans, it allows an attacker to stream the victim’s screen, create deceptive overlays, and abuse Android’s accessibility features to issue commands in real time.

What makes it unusual, researchers say, is an added function that randomizes how it types. The malware inserts pauses of varying lengths between keystrokes -sometimes lasting several seconds – to mimic natural typing speed and rhythm. This tactic helps it avoid detection systems that flag uniform or instantaneous inputs as automated activity.

Analysts believe Herodotus borrows some code and techniques from older families such as Brokewell, but that it incorporates new modules built specifically to imitate human behavior.

After infecting a device, it inventories installed apps, communicates with a command-and-control server, and receives a list of financial or cryptocurrency targets. When the victim opens one of those apps, Herodotus can overlay fake login screens, stream the display to the attacker, and enter data in ways that appear indistinguishable from normal user activity.

The malware spreads through sideloaded apps, text messages that lead to malicious downloads, and dropper programs posing as legitimate utilities. Campaigns have been confirmed in Italy and Brazil, though researchers caution that these countries likely represent early sightings rather than the full scope of infections.

Herodotus challenges a core belief in fraud detection that automated attacks can always be separated from human behavior. Many financial institutions rely on behavioral biometrics such as typing rhythm, touch pressure, and swipe patterns to identify bots.

Herodotus undermines that strategy by introducing random pauses, varying motion timing, and avoiding shortcuts like pasting text. Fraud detection systems that depend too heavily on a single behavioral signal may fail to recognize its presence.

That does not render behavioral analytics obsolete, but experts warn they must be combined with other defenses. Device attestation, integrity checks, and monitoring for unusual use of accessibility services are all critical indicators that can reveal compromise.

Trojans like Herodotus exploit Android’s accessibility framework to automate interactions that normally require human input, so any unexplained activation of those permissions should raise an immediate red flag.

The trojan also exposes a long-standing flaw in financial app design that allows users to log in and approve transactions on the same device. When that device is compromised, attackers can take control of active sessions and intercept or generate one-time passwords sent by text message.

Security experts recommend adopting hardware-based authenticators and out-of-band verification methods that confirm high-risk transactions on a different device.

Developers can take additional steps to harden their apps by minimizing what users can see when an app is backgrounded, restricting WebView elements for sensitive data entry, and adding telemetry to detect overlays or unexpected accessibility grants.

Consumers, meanwhile, should be cautious about installing apps from outside the Play Store and should decline accessibility permissions unless absolutely necessary.

Mobile security vendors are racing to issue detections for Herodotus, but researchers note that as with other MaaS tools, variants are likely to evolve quickly, making behavioral and network-based detection equally important.

The emergence of Herodotus underscores how professionalized mobile cybercrime has become. Selling malware as a subscription service lowers the technical barrier for criminals while increasingly sophisticated feature sets make detection harder.

Instead of relying solely on brute-force automation, threat actors are investing in stealth features that intentionally produce fewer alerts, forcing defenders to spend more on layered monitoring.

So far there are no confirmed large-scale thefts linked to Herodotus, but analysts say its capabilities are advanced enough to enable them. They warn that the time between disclosure and widespread criminal adoption is shrinking, meaning organizations should prepare now for similar attacks.

Herodotus illustrates how attackers continue to learn from defenders. As financial institutions refine their behavioral models, malware developers are programming their tools to mimic the quirks those models look for.

For users, they should install software only from trusted sources, question unexpected messages or links, and use authentication methods that cannot be hijacked from the same device. For institutions, the challenge is to tie behavioral trust to verified device health rather than behavior alone.

Article Topics

Android  |  behavioral biometrics  |  cybersecurity  |  financial services  |  Herodotus  |  malware