A New Android Threat Emerges
Herodotus, a newly discovered Android banking trojan, is making waves for its human-like behavior. Researchers recently found it targeting users in Italy and Brazil through active malware campaigns. The malware is designed to take over devices while imitating natural user actions, allowing it to bypass advanced anti-fraud systems. According to a report, Herodotus has been circulating in underground markets since September 2025 as part of a malware-as-a-service model. It supports Android versions 9 through 16, showing its wide compatibility and growing danger.
The Evolution and Design of Herodotus
Experts believe Herodotus is not a direct successor to previous malware families but shares strong similarities with older Android threats. For example, it reuses code patterns and obfuscation methods seen in previous trojans. Therefore, it inherits the capability to hide its activities and perform seamless device takeovers. The malware mainly spreads through fake dropper apps that pose as trusted browsers. These apps are often shared via SMS phishing and social engineering schemes, tricking users into installing them unknowingly.
How the Trojan Operates
Once installed, Herodotus abuses Android accessibility services to perform malicious actions. It can interact with the device screen, display fake login pages, and steal credentials. Additionally, it intercepts SMS messages to capture two-factor authentication codes. It can even view everything displayed on the screen, unlock the device, and install more malicious software remotely. However, what makes Herodotus stand out is its ability to simulate human typing. By adding random delays between keystrokes—ranging from 300 to 3,000 milliseconds—it mimics real user behavior. Therefore, it becomes harder for fraud detection systems to recognize the attack as automated activity.
Expanding Global Targets
Researchers also found overlay pages linked to Herodotus targeting financial platforms in the U.S., the U.K., Turkey, and Poland. The trojan also aims at cryptocurrency wallets and exchanges, indicating that its operators are broadening their reach. Moreover, it is under continuous development and built to remain active during live sessions rather than only stealing static credentials. This adaptability suggests a focus on persistent access and ongoing financial exploitation.
Related Threats in the Wild
In a separate finding, another advanced malware named GhostGrab was observed targeting Android users in India. It steals banking data while secretly mining cryptocurrency, creating a dual source of profit for attackers. Like Herodotus, it disguises itself as a legitimate financial app and collects sensitive details such as ATM PINs, ID numbers, and card information. Both cases highlight how cybercriminals are evolving Android malware to bypass existing security layers.
How to Prevent Infection
Users should avoid installing apps from unknown sources or links received via text messages. Always verify an app’s legitimacy before installation and rely on built-in device protection tools. Organizations should also use continuous monitoring and endpoint protection to detect suspicious behavior early. For instance, advanced mobile threat detection and managed response services can help identify malicious scripts and phishing overlays before they cause harm. Regular awareness training for employees and users also strengthens overall defense against such social engineering attacks.
Sleep well, we got you covered.
