Cybersecurity experts are sounding the alarm about a new Android Trojan called Herodotus, designed to deliberately slow down its own malicious activity to mimic the occasional, imperfect behavior of a human user. Such behavior allows the malware to evade a generation of security systems designed to signal the faster robotic actions of traditional robots.
Detected by security company Threat Fabric, Herodotus is a banking Trojan advertised/sold on underground cybercrime forums. Similar to the Brokewell malware discovered last year, Herodotus’ ultimate goal is financial fraud, which it achieves by leveraging Android accessibility services to create fake login overlays and steal credentials, as well as intercepting one-time passcodes (OTPs) via an SMS thief. However, his real innovation lies in the subtle art of deception: the timing of his inputs.
Herodotus, on the other hand, gets around this problem with a brilliant, if troubling, measure: he introduces a random delay. Each time the malware inserts credentials, it injects an unpredictable pause of between 0.3 and 3 seconds, which is enough to fool many basic detection systems that expect either impossible acceleration or a consistent, non-human pattern. The deliberate slowness is meant to suggest that an actual user, perhaps an elderly person or someone simply taking a break from typing, is manually entering their login information.
Herodotus is allegedly distributed by tricking victims into downloading apps, often using smishing messages containing a link to a “dropper” app. Once installed and granted the elevated permissions it requires by tricking the user, it can deploy its full suite of features.
Screenshot Credits: Threat Fabric
