Herodotus Android malware mimics human typing to evade detection

Threat Fabric researchers spotted Herodotus Android malware mimicking human typing with random delays to evade detection.

Threat Fabric found a new Android malware, named Herodotus, which mimics human typing by adding random delays to evade detection.

Herodotus allows operators to takeover devices and bypass behaviour biometrics detection, it is offered as a malware-as-a-service (MaaS).

The researchers observed active campaigns in Italy and Brazil.

Herodotus is a device-takeover banking Trojan sold by ‘K1R0’ and spread via sideloading through SMiShing. A dropper installs the app, asks users to enable Accessibility, and shows an overlay to hide the permission.

“After the installation of the payload, the dropper automatically starts Herodotus payload. It is further opening the Accessibility Service settings page, urging the victim to enable it. Once enabled, Herodotus launches a “block overlay”, mimicking a loading screen to hide the suspicious activity of granting all the necessary permissions.” reads the report published by Threat Fabric. “Following that, Herodotus is ready to perform credential stealing and further Device-Takeover fraud. “

The malware steals app lists, fetches overlays from C2, and captures credentials when victims open those apps. It mimics human behavior during remote-control sessions Operators phish creds.

The Android malware “humanizes” remote-control fraud to evade behavioral detection. It lets operators remotely click, swipe, and type on infected devices to steal money or credentials. Unlike older Trojans, Herodotus simulates realistic human typing by splitting input into single characters and adding random 0.3–3 second delays between keystrokes.

This makes automated actions appear natural and helps bypass basic anti-fraud systems that flag machine-like behavior. However, more advanced systems that model user-specific interaction patterns or classify malware versions can still detect these anomalies. Herodotus marks an evolution in banking malware, combining automation with human-like mimicry to evade detection during device takeover.

“We have seen examples where developers were pausing the execution of automated actions in order to wait for the UI to be updated (especially on old devices being slow in loading UI), however, there were no random delays as there is no necessity in randomness.” continues the report. “Thus, with high confidence we suspect that such a delay is an attempt to mimic human behaviour while automating the input of the text.”

The malware uses opaque “blocking” overlays to hide fraud from victims, including fake bank screens that stall users with messages like “verifying your credentials.” It supports full device takeover features: overlay attacks to capture logins, SMS theft for 2FA interception, Accessibility logging and screenshots. The malware’s operator panel exposes controls for human-like text input (a “Delayed text” option) plus many remote-control commands—functionality marketed in underground forums as MaaS.

Herodotus uses the MQTT protocol and the domain google-firebase.digital with several subdomains, indicating multiple operators and regional campaigns. The researchers found seven active subdomains and observed targeted waves in Italy (app named “Banca Sicura” connecting to af45kfx) and Brazil (masquerading as “Modulo Seguranca Stone” connecting to g24j5jgkid). Analysts also recovered overlay pages aimed at banks, exchanges and crypto wallets in the US, UK, Turkey and Poland. Reverse engineering reveals code and obfuscation overlaps with the Brokewell Android malware. Herodotus decrypts native strings on demand and dynamically loads a limited Brokewell module for clicking actions. That module lacks compatibility for full use, suggesting Herodotus developers may possess or adapt Brokewell source material in future. Herodotus remains in active development and likely to expand globally.

“The discovery of Herodotus, yet another Device-Takeover banking Trojan in an already threat-rich landscape, shows the growing popularity of these threats amongst cybercriminals, as well as commercial efficiency of Malware-as-a-Service “business model”, as Herodotus is already announced by the threat actors as a threat to rent.” concludes the report that provides Indicators of Compromise.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)