Finance and banking, specific sector
A Trojan ready for use in campaigns around the world
Greg Sirico •
October 28, 2025
A new banking Trojan can foil basic behavioral detection systems that look for machine behavior by introducing random pauses meant to mimic human users, mobile security researchers warn.
See also: Compliance Team Guide to Preventing Evasion and Detecting Sanctions Exposures
The Android malware advertised as “Herodotus” by its apparent developer on cybercrime forums injects a random pause of up to three seconds every time a hacker bypasses an infected device’s keyboard to enter account credentials.
Hackers prefer to use Android accessibility services to paste text rather than engage in hands-on remote keyboard sessions, where poor connections, a misaligned screen image, or fat fingers can introduce errors. But tapping into accessibility services or using the device’s clipboard to paste in credentials “can look suspicious and machine-like, raising questions about whether there is an actual user interacting with the app and entering the data.” say researchers at fraud detection company ThreatFabric.
Herodotus’ solution is a built-in random delay of between 0.3 and three seconds, intended to prevent the insertion of credentials from triggering behavioral detection systems that seek machine-like text entry speed.
Next-generation behavioral biometrics systems that model individual user behavior would likely still detect Trojan behavior, Threat Fabric wrote. But systems that rely on indicators such as entry timing can influence the transaction.
In other respects, Herodotus is very similar to the many other banking Trojans offered in the cybercriminal underground. Distribution is done by sideloading apps, likely triggered by smishing messages containing a link to a dropper. The malware takes advantage of accessibility service in the Android operating system – a long-used feature designed to make applications usable through screen readers or touch event handlers. Since accessibility services get high-level permissions, cybercriminals trick victims into trusting them for malicious apps.
Herodotus app also displays fake banking login site overlays to capture credentials and SMS stealer to intercept one-time passcodes.
When reverse engineering Herodotus, ThreatFabric researchers discovered an overlap with another banking Trojan called Brokewell, discovered by ThreatFabric in April 2024. Herodotus developers invoked a Brokewell module, but in a very limited way, suggesting that they had access to an already compiled Brokewell module and not the original code.
The app is active in Italy and Brazil, although its developer lists it as still in development on cybercrime forums. Code analysis shows overlaid pages for financial organizations in the US, UK, Poland, and Turkey, as well as crypto wallets and exchanges. “We can expect Herodotus to evolve further and be widely used in global campaigns,” ThreatFabric said.
