A new Android banking Trojan called Herodotus takes mobile fraud to the next level by employing human-like behavior to avoid emulators and automated systems designed to detect malfeasance. The malware, discovered by ThreatFabric researchers, is able to take control of devices and simulate human behavior, such as entering bank details or sending a transaction confirmation, in real time, making automated fraud detection systems harder for banks and anti-abuse systems to detect.
What makes Herodotus different when it comes to evading detection
Indeed, most mobile Trojans give themselves away by going too fast or looking too mechanical. Herodotus deliberately slows down. According to ThreatFabric, it adds uneven pauses between keystrokes – around 0.3 to 3 seconds – allows for realistic swipes and taps and avoids the telltale rhythm of a script. This rhythm seems to want to simulate a distracted human user, not a headless robot.
This takes direct aim at an emerging genre of defenses known as behavioral biometrics, which examines patterns such as typing cadence, swipe height and touch pressure. When malware follows these human patterns, tools based on input timing would be more likely to misclassify fraud as normal activity.
How Takeover Works to Compromise Android Devices
Herodotus uses the typical framework of a banking Trojan and then adds a human touch, initially delivered via side-loaded droppers or smishing links. Once it lands on a device, the malware quickly requests Accessibility Services, a legitimate Android feature that, if misused by attackers, can grant it full-screen reading, autofill, and text entry rights.
From there, it relies on overlay attacks that place realistic fake login screens over real ones in banking and wallet apps to capture credentials. It can filter SMS messages to retrieve one-time codes and returns a list of installed applications to its command server. When a target opens a financial application, operators can trigger the appropriate overlay or start a remote control session that feels natural and not mechanical.
Older Android Trojans frequently pasted text immediately or quickly clicked streams in machine time, making them easier to report. Herodotus avoids this trap by introducing randomness – in an attempt to circumvent simple robot detection heuristics.
Where it spreads and first campaigns observed
Investigations associated with ThreatFabric resulted in campaigns in Italy and Brazil. In Italy, the malware was called “Banca Sicura” and in Brazil, “Módulo Segurança Stone”. Operators are already selling the tool as malware-as-a-service, so expect copycat campaigns and rapid feature updates.
Why traditional controls can miss it during attacks
Banks and fintechs increasingly rely on signals like how fast you type, how fast you interact with your phone, and how fast a session is. Herodotus is designed to poison these signals. This gives more weight to telemetry from the device environment: is there an accessibility service that submits click events? An overlay on a financial application? Do network signals suggest someone is remotely pulling the strings?
Attacks against workloads will also require stricter attestations and execution controls from security teams. For example, Google’s Play Integrity API, SafetyNet successor frameworks, and Mobile Threat Defense SDKs facilitate verification to ensure an app is running on a real, uncompromised device. In addition to device-side restrictions, server-side management of combinations of behavioral data with context (operating system indicators, permission status, presence of overlays, and suspicious accessibility activities) should aim to minimize blind spots.
The general trend is clear: as automated fraud becomes more sophisticated, the distinction between “bot” and “human-operated malware” becomes blurrier. Complex Android bankers like Anatsa, Xenomorph, and SharkBot, with their neat overlays and accessibility abuses, have shown us where this trend is going; Herodotus now adds a layer of “realism” to target possible detection driven by deeper signals.
What users can do now to reduce their mobile risks
Most victims are tricked into installing a wrong app or granting risky permissions. Instead, do your due diligence: stick to trusted sources, keep Play Protect enabled (it is), and don’t trust messages that ask you to install “security” or “banking” tools from a link. Open Settings and check which apps have Accessibility access – remove anything you don’t recognize (note if older software has been left behind) or that you really need.
If you think your phone is compromised, uninstall all unknown apps, turn off accessibility for all except the tools you can’t live without, and run another security check. Contact your bank immediately, change financial and email account passwords, and reset the device if suspicious activity persists.
The essentials on Herodotus and defending yourself
By forcing people to act more like robots, Herodotus undermines a robot’s speed-focused defenses. That’s not to say it’s unstoppable, but it requires multi-level detection that monitors the device’s environment, not just the user’s movements. For consumers and banks alike, vigilance around accessibility abuse, overlays, and app provenance is now just as important as detecting these speedy bots.
Image: zap3lon. Learn about the risk of sideloading from untrustworthy websites. Yes, while Google claims that its app store keeps less than 1% of apps downloaded on an Android phone infected with malware, the problem becomes more critical when you sideload apps on your mobile device, rushing to install a game or utility from an unknown developer without checking its source. Herodotus fills this gap by reminding us all that the safest app is the one you never installed.
