Herodotus is a novel Android banking Trojan designed to execute device takeover (DTO) attacks, notably targeting users in Italy and Brazil. Security researchers have highlighted its ability to actively mimic human behavior in its remote operations to successfully evade detection by behavioral biometrics solutions. The Trojan was first advertised in underground forums in September 2025, operating under a malware-as-a-service (MaaS) model and boasting compatibility with devices running Android versions 9 through 16. While not a direct descendant of the Brokewell banking malware, Herodotus appears to borrow significant techniques, including similarities in its obfuscation methods and even direct internal references (like “BRKWL_JAVA”) to the older strain.
This new malware continues a trend of Android threats by abusing accessibility services to achieve its objectives. It is being distributed through dropper apps, often masquerading as Google Chrome (package name “com.cd3.app”) and spread via SMS phishing or other social engineering tactics. Once installed, Herodotus leverages the accessibility feature to manipulate the screen, display opaque overlays to conceal its malicious activity, and steal credentials by presenting fake login screens over legitimate financial applications. Its capabilities extend to stealing two-factor authentication (2FA) codes intercepted via SMS, grabbing the device’s lockscreen PIN or pattern, logging everything shown on the screen, and installing additional remote APK files as needed.
What truly distinguishes Herodotus is its cunning strategy to humanize fraud and thus bypass timing-based security detections. The malware has an option to introduce randomized delays—ranging from 300 to 3,000 milliseconds (0.3 to 3 seconds)—when initiating remote actions like inputting text on the compromised device. This calculated feature is a conscious effort by the attackers to make the automated input appear as if it’s being entered by a genuine user. This randomization of input timing is aimed at deceiving anti-fraud solutions that look for the instantaneous, “machine-like” speed of automated text entry.
Beyond its current targets, analysis of overlay pages indicates that Herodotus operators are actively seeking to expand their reach, with targets identified across financial organizations in the U.S., Turkey, the U.K., and Poland, as well as various cryptocurrency wallets and exchanges. Researchers stress that the malware is in active development, employs techniques associated with the Brokewell Trojan, and seems specifically engineered to persist within live user sessions rather than simply performing static credential theft and basic account takeover.
These findings emerge as details surface about a different advanced Android threat called GhostGrab, which creates a “dual-revenue stream” for attackers by systematically harvesting banking credentials while simultaneously and covertly mining Monero cryptocurrency on infected devices, primarily targeting users in India. This malware, often disguised as a financial app, requests the REQUEST_INSTALL_PACKAGES permission to install its main payload without using the Google Play Store. The final payload demands a host of high-risk permissions to enable call forwarding, steal SMS data, and serve fake WebView pages that mimic a Know Your Customer (KYC) form to harvest sensitive personal data, including card details, ATM PINs, and government IDs.
Reference:
